Experts at Google’s Threat Analysis Group have warned that the Chinese government-backed hacking group APT41 is exploiting the open-source Google Command and Control (GC2) tool for malicious purposes. According to the TAG, the tool was used in attacks on Taiwanese media and an Italian recruitment company.
The Google TAG has linked the campaign to the hacker group HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda and Winnti. This group typically targets a wide range of industries in the US, Asia, and Europe.
Google Command and Control is a Go-based open-source project designed for use by red teams. It provides management and control without requiring any specific configuration, such as a custom domain, VPS, or CDN. In addition, the program only interacts with Google domains (*.google.com) to make it harder to detect.
The TAG report states that APT41 attacks begin with phishing emails containing links to a password-protected file hosted on Google Drive. This file contains the GC2 malware, which penetrates the victim’s system.
It is not known what additional malware was distributed with GC2 in this case, but APT41 typically deploys a wide range of malware on compromised systems. For example, a 2019 report by Mandiant revealed that attackers use rootkits, bootkits, custom malware, backdoors, PoS malware, and in some cases even ransomware.
The researchers noted two important aspects of this discovery: first, it shows that Chinese hackers are increasingly relying on freely available and open-source tools to make attacks more difficult to attribute. Second, it points to the growing popularity of Go-based malware and tools among attackers due to its cross-platform and modular nature.
Google also warned that the “undeniable importance of cloud services” has made them a lucrative target for both government hackers and ordinary cybercriminals, who are increasingly using them “either as hosts for malware or as C2 infrastructure”.
