Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages: Coffin-Codes-Pro Coffin-Codes-NET2 Coffin-Codes-NET Coffin-Codes-2022 Coffin2022 Coffin-Grave cfc-bsb use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic. These packages have since been removed from the Python Package Index (PyPI).
