APT41 - Google Sheets as C2

The report highlights GC2, a command-and-control tool that leverages Google Sheets and Drive (or Microsoft SharePoint) for tasking and exfiltration, and summarizes Google TAG’s findings on APT41 using GC2 against a Taiwanese media organization. The attack began with a phishing email leading to a password-protected Google Drive payload, after which GC2 enabled command retrieval from Google Sheets, data exfiltration via Google Drive, and downloading of additional files. It underscores the growing use of publicly available tools and cross-platform Go-based malware to blend malicious traffic with legitimate cloud services.