Google Command and Control exploited in APT41 attacks

BleepingComputer reports that Chinese state-sponsored threat operation APT41, also known as HOODOO, Winnti, and Barium, has targeted an Italian job-search website and a Taiwanese media firm in data exfiltration attacks involving the exploitation of the Google Command and Control red-teaming program. Attacks using GC2 against the Italian job search entity were launched by APT41 last July, with the agent leveraged to facilitate further payload delivery and data exfiltration to Google Drive, according to the Google Threat Horizons report. Meanwhile, the Taiwanese media organization was subjected to phishing emails with links redirecting to the GC2 payload in October but such a campaign has been thwarted by Google's Threat Analysis Group. The findings represent the continuing transition of threat actors toward legitimate red-teaming tools and remote monitoring and management software in their attacks. With malicious Cobalt Strike usage more easily detected, attackers have since moved to use the Sliver and Brute Ratel red teaming tools, as well as the Action1 RMM tool.