Cybersecurity researchers have revealed details of a new full-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command and control (C2) purposes.
According to a report by Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (also known as Squidoor) that uses the Microsoft Graph API for C2. FINALDRAFT is believed to originate from the threat cluster known as REF7707 (also known as CL-STA-0049, Earth Alux, and Jewelbug).
“One of the main features of this malware focuses on using the Google Drive API to exchange data from the victim’s endpoint,” said Daniel Stepanich, principal security researcher at Elastic Security Labs.
“This functionality ultimately provides a channel for hard-to-detect data theft and payload staging. The malware includes a task management system used for file transfer functions such as queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.”
According to Palo Alto Networks Division 42, REF7707 is believed to be part of a cluster of suspected Chinese activities targeting government, defense, communications, education, and aviation sectors in Southeast Asia and South America dating back to March 2023. In October 2025, Symantec, a Broadcom company, attributed a five-month intrusion targeting Russian IT service providers to this hacker group.
The exact initial access vector used to deliver NANOREMOTE is currently unknown. However, the observed attack chain includes a loader named WMLOADER that mimics Bitdefender’s crash handling component (‘BDReinit.exe’) and decrypts the shellcode responsible for launching the backdoor.
Written in C++, NANOREMOTE uses the Google Drive API to perform reconnaissance, execute files and commands, and has the ability to transfer files to and from the victim environment. It is also preconfigured to communicate via HTTP with a hard-coded, non-routable IP address, process requests sent by operators, and send back responses.
“These requests occur over HTTP, and the JSON data is Zlib compressed and sent through a POST request encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said. “The URI for all requests uses /api/client with User-Agent (NanoRemote/1.0).”
Its main functionality is achieved through a set of 22 command handlers that allow it to collect host information, perform file and directory operations, run portable executable (PE) files already present on disk, clear the cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.
Elastic announced that it has identified an artifact (“wmsetup.log”) that was uploaded to VirusTotal from the Philippines on October 3, 2025. This artifact can be decrypted by WMLOADER using the same 16-byte key to reveal the FINALDRAFT implant, indicating that the two malware families are likely the work of the same threat actor. Not sure why the same hard-coded keys are used in both.
“Our hypothesis is that WMLOADER is part of the same build/development process that allows it to work with different payloads, so it uses the same hard-coded keys,” Stepanic said. “This appears to be another strong signal that a codebase and development environment is being shared between FINALDRAFT and NANOREMOTE.”
Source link
