{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/c2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["China-nexus actor"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["google-calendar","c2","china-nexus"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA China-nexus threat actor has been observed leveraging Google Calendar as a novel command and control (C2) mechanism. This campaign, observed starting in 2025, uses calendar entries to relay commands to compromised hosts. The use of Google Calendar allows the attacker to blend in with legitimate network traffic, evade traditional C2 detection methods, and maintain persistence. The stealthy nature of this approach makes it difficult to detect and attribute. This technique is particularly concerning because it leverages a common and trusted service, making it harder to differentiate between legitimate and malicious activity. The scope of targeting is currently unknown, but the use of advanced C2 infrastructure suggests a sophisticated and potentially widespread campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise occurs through an unknown vector, potentially exploiting vulnerabilities or using social engineering.\u003c/li\u003e\n\u003cli\u003eA lightweight agent is installed on the target system. This agent is responsible for interacting with the Google Calendar API.\u003c/li\u003e\n\u003cli\u003eThe agent authenticates to a pre-configured Google account controlled by the attacker using stolen or pre-configured credentials.\u003c/li\u003e\n\u003cli\u003eThe agent periodically polls the Google Calendar API for new calendar events.\u003c/li\u003e\n\u003cli\u003eThe attacker creates calendar events containing base64-encoded commands.\u003c/li\u003e\n\u003cli\u003eThe agent retrieves the calendar event, decodes the command, and executes it on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe agent transmits the results of the executed command back to the attacker, potentially through another Google service or a separate channel.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions, such as lateral movement, data exfiltration, or deployment of additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems could be leveraged for a variety of malicious activities, including data theft, espionage, and disruption of services. The use of Google Calendar as a C2 channel makes attribution challenging and allows the attacker to maintain a persistent presence on the compromised network. Successful attacks could lead to significant financial losses, reputational damage, and loss of sensitive information. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor API calls to \u003ccode\u003egoogleapis.com\u003c/code\u003e for unusual patterns or unauthorized access attempts, specifically looking for calendar event modifications from unusual user agents (reference: Attack Chain step 4).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect processes making modifications to Google Calendar.\u003c/li\u003e\n\u003cli\u003eEnable and review Google Workspace audit logs for suspicious calendar activity, including event creation and modification from unexpected locations or accounts (reference: Attack Chain step 5).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T00:00:00Z","date_published":"2026-03-21T00:00:00Z","id":"/briefs/2026-03-calendar-c2/","summary":"A China-nexus threat actor is utilizing Google Calendar as a command and control (C2) infrastructure to conduct stealthy operations.","title":"China-Nexus Campaign Using Google Calendar as C2","url":"https://feed.craftedsignal.io/briefs/2026-03-calendar-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["botnet","iran","C2"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA blog post on hunt.io details an Iranian botnet operation discovered through an open directory. The operation involves a 15-node relay network, suggesting a focus on obfuscation and resilience. The existence of an active Command and Control (C2) infrastructure indicates ongoing malicious activity. The exposure of these details allows defenders to gain insights into the botnet\u0026rsquo;s architecture and potentially disrupt its operations. While the specific targeting and malware used remain unclear from this report, the network structure points to a potentially sophisticated actor capable of conducting sustained campaigns. Understanding the C2 communication patterns and relay node infrastructure is crucial for effective defense.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Systems are compromised through an unknown initial access vector.\u003c/li\u003e\n\u003cli\u003eBot Installation: A bot payload is installed on the compromised systems.\u003c/li\u003e\n\u003cli\u003eC2 Communication: The bots establish communication with the C2 server to receive commands.\u003c/li\u003e\n\u003cli\u003eRelay Network Activation: Bots connect to one another creating the 15-node relay network.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The C2 server issues commands to the bots through the relay network.\u003c/li\u003e\n\u003cli\u003eMalicious Activity: Bots execute malicious commands, the specific actions are currently unknown.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this botnet is currently unknown due to limited information, but botnets are commonly used for DDoS attacks, spam campaigns, or credential stuffing. If the botnet successfully conducts its objectives it could lead to service disruptions, data breaches, or further compromise of systems within targeted networks. The Iranian origin suggests potential geopolitical motivations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to the domain \u003ccode\u003ehunt.io\u003c/code\u003e as it is related to the botnet operation ([IOC: hunt.io]).\u003c/li\u003e\n\u003cli\u003eImplement a network connection rule to detect unusual network connections that could indicate the C2 activity or relay network behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that show signs of unusual network activity or communication with external domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T19:15:28Z","date_published":"2026-03-17T19:15:28Z","id":"/briefs/2024-01-iranian-botnet/","summary":"An Iranian botnet operation utilizing a 15-node relay network and active C2 infrastructure was exposed through an open directory.","title":"Iranian Botnet Operation Exposed via Open Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-iranian-botnet/"}],"language":"en","title":"CraftedSignal Threat Feed — C2","version":"https://jsonfeed.org/version/1.1"}