Hackers exploit Google's Red team tool to steal data from Taiwanese media and Italian job search firms. Learn how this command and control tool was exploited for data theft…

Continue reading
APT41, a state-sponsored hacking group from China, has recently been discovered leveraging Google Command and Control (GC2) to carry out data theft attacks against a job search company in Italy and Taiwanese media. Google's Threat Analysis Group (TAG) has recently disclosed in their April 2023 Threat Horizons Report that APT41 has been exploiting the GC2 red teaming tool in its attacks. Open-source Go project GC2 created for red teaming activities. A new project has been discovered involving an agent that is deployed on compromised devices. The agent connects back to a Google Sheets URL to receive commands to execute. Deployed agents execute commands to download and install payloads from Google Drive or exfiltrate stolen data to cloud storage services. This Threatfeed will delve deeper into the attack's specifics and APT41's utilization of GC2 to carry out the attacks.
According to Google's report, TAG disrupted an APT41 phishing attack against a Taiwanese media company that attempted to distribute the GC2 agent through phishing emails. _"In October 2022, Google's Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive,"_ explained the Google Threat Horizons report. _"The payload was an open-source red teaming tool called 'Google Command and Control' (GC2)."_
Google says that APT41 also used GC2 in attacks against an Italian job search website in July 2022. Using the agent, Google says that the threat actors attempted to deploy additional payloads on the device and exfiltrate data to Google Drive. GC2 Red Teaming Tool
GC2, also known as Google Command and Control, is an open-source project in Go designed for red teaming activities. _"This program has been developed in order to provide a command and control that does not require any particular setup (like a custom domain, VPS, CDN, ...) during Red Teaming activities,"_ reads the project's GitHub repository. _"Furthermore, the program will interact only with Google's domains (*.google.com) to make detection more difficult."_
The project consists of an agent deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute. These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.
APT41, also known as HOODOO, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti.
The threat actors have also been known to deploy the Winnti malware and the China Chopper web shell, tools commonly used by Chinese hacking groups, and Cobalt Strike for persistence in compromised networks. In 2020, the Department of Justice indicted three Chinese nationals believed to be part of APT41 for conducting supply chain attacks, data theft, and breaches against countries worldwide.
APT41's use of GC2 indicates a trend of threat actors moving to legitimate red teaming tools and remote monitoring and management (RMM) platforms as part of their attacks. While the use of Cobalt Strike in attacks has been widespread for years, it has also led to significant investments into detecting it in attacks, making it more easily spotted by defenders. Due to the increased scrutiny and detection of Cobalt Strike in attacks, threat actors have started to shift to other legitimate red teaming tools, such as Brute Ratel and Silver, to evade detection during their attacks.
Additionally, ransomware gangs have begun abusing legitimate remote monitoring and management (RMM) tools, such as Action1, for persistence on compromised networks and to execute commands, scripts, and binaries. This highlights the unfortunate reality that any tool that can help red teamers conduct exercises or admins manage a network remotely can also be abused by threat actors in their own attacks.

55+ football scam campaigns exploit FIFA World Cup 2026 hype on Meta platforms, pushing fake merchandise, phishing, and IPTV fraud.