Hackers Leverages Google Calendar APIs With Serverless MeetC2 Communication Framework

Cybersecurity

Cybersecurity researchers have identified a sophisticated command-and-control framework that exploits legitimate Google Calendar APIs to establish covert communication channels between attackers and compromised systems.

The MeetC2 framework, discovered in September 2025, represents an evolution in adversarial tactics where threat actors abuse trusted cloud services to bypass traditional security controls and evade detection mechanisms.

The framework operates by masquerading malicious traffic as routine business communications through Google’s widely-trusted domains, specifically “oauth2.googleapis.com” and “www.googleapis.com”.

This approach allows malicious activities to blend seamlessly with normal organizational traffic, making detection significantly more challenging for security teams.

The cross-platform compatibility across macOS and Linux systems further amplifies its potential impact on diverse enterprise environments.

Deriv Tech researchers noted that the framework’s design demonstrates a sophisticated understanding of modern security architectures and cloud service abuse techniques.

The proof-of-concept implementation highlights how easily adversaries can leverage legitimate SaaS platforms for malicious purposes, exploiting the inherent trust organizations place in major cloud providers.

The attack methodology centers around a polling-based communication system where compromised agents send GET requests every 30 seconds to specific Google Calendar API endpoints.

When operators need to issue commands, they create calendar events with embedded instructions in the summary field, formatted as “Meeting from nobody: [COMMAND]”.

The victim agent identifies these command events during regular polling cycles, extracts the commands, executes them locally, and updates the same calendar event with execution results embedded within [OUTPUT] [/OUTPUT] parameters in the description field.

Technical Implementation and Evasion Mechanisms

The MeetC2 framework’s technical architecture reveals sophisticated evasion capabilities that exploit the ubiquity and trusted nature of Google services.

The authentication process utilizes standard OAuth2 flows, requiring attackers to create legitimate Google Cloud Console projects and service accounts with calendar access permissions.

This approach ensures all communications appear as authorized API interactions rather than suspicious network traffic.

The implementation requires minimal infrastructure, operating entirely through Google’s existing Calendar API infrastructure.

Operators authenticate through service accounts configured with “Make changes to events” permissions on shared calendars.

The polling mechanism employs a 30-second interval, striking a balance between operational responsiveness and avoiding excessive API requests that might trigger rate limiting or suspicious activity alerts.

Code execution occurs through command extraction from calendar event summaries, with results uploaded back to the same event’s description field.

This bidirectional communication model creates a complete command-and-control channel while maintaining the appearance of legitimate calendar synchronization activities.

The framework supports targeted command execution using host-specific syntax like “exec @host:command” or broadcast commands across multiple compromised systems simultaneously.

The persistence and stealth characteristics of MeetC2 make it particularly concerning for enterprise security teams, as the framework generates no suspicious network patterns and leverages services that organizations explicitly whitelist for business operations.