Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.
The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.
"The script creates a 'Covert Channel' by exploiting the event
As many as 85 command-and-control (C2) servers have beenΒ discoveredΒ supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022.
That's according to VMware's Threat Analysis Unit (TAU), whichΒ studiedΒ three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.
ShadowPad, seen as a successor toΒ PlugX, is a modular
A nascent service called Dark Utilities has already attracted 3,000 users for its ability to provide command-and-control (C2) services with the goal of commandeering compromised systems.
"It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems," Cisco TalosΒ saidΒ in a report shared