Gmail C2: Stealthy Malware Communication Revealed! #shorts

Basically, what they're doing is that they are querying from the rat. We have the rat where the server with the rat is and then the evil is the threat actor's C2. So, it's questions like, "Do you have any new draft for me?" And it says, "No." And it keeps polling like that. Checks for a new draft. And when the threat actor wants to communicate with the rat, it creates a new draft. And I mean, this is a bit simplified, but just so you understand the concept. So, it creates a new draft with like exec you name a, which is a command they want to run. And then the rat gets that command. It executes the

command and then it adds an attachment to that draft, which is the output of the command. And then it checks for attachments obviously on the other side of things. And it gets the draft when it reads it, it deletes it and so on. So, then you have like a channel where you tunnel everything through Gmail. And if you're just looking at network traffic, it's going to be kind of hard to see this, right? Especially if you're this company that we're talking about who's actually using Google Cloud, which we'll get into. There's a lot of services that are talking to Google Cloud all over the place, right? And I think that's when we see this being used by a sophisticated

actor, they look what services are they this company using. If they're using Slack and they have Slack integrations for pretty much everything, then why not use Slack as a C2? It's going to be really, really hard to find that in the midst of all that traffic. So, it's really hard to see it network-wise. On the other side, we're obviously completely blind. So, we cannot see anything because it's just a threat actor accessing Gmail on their end, right? So, is this the perfect C2 that is like the C2 to rule them all?