Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.
According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).
“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.
“This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.”
REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider.
The exact initial access vector used to deliver NANOREMOTE is currently not known. However, the observed attack chain includes a loader named WMLOADER that mimics a Bitdefender’s crash handling component (“BDReinit.exe”) and decrypts shellcode responsible for launching the backdoor.
Written in C++, NANOREMOTE is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API. It’s also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back.
“These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said. “The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).”
Its primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.
Elastic said it identified an artifact (“wmsetup.log“) uploaded to VirusTotal from the Philippines on October 3, 2025, that’s capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant, indicating that the two malware families are likely the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
