Cybersecurity researchers have revealed a sophisticated Windows backdoor called NANOREMOTE that leverages the Google Drive API for command-and-control (C2) operations. Elastic Security Labs reported that the malware shows code similarities with FINALDRAFT (aka Squidoor), another implant using Microsoft Graph API for C2, attributed to the suspected Chinese threat cluster REF7707 (also known as CL-STA-0049, Earth Alux, and Jewelbug).
According to Daniel Stepanic, principal researcher at Elastic Security Labs, NANOREMOTE’s core functionality is its ability to exchange data with victim systems via Google Drive, providing a stealthy channel for both data exfiltration and payload deployment. The malware features a task management system to queue, pause, resume, cancel file transfers, and generate refresh tokens, making detection difficult.
REF7707 has reportedly targeted governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America since March 2023. In October 2025, Symantec confirmed that the group had conducted a five-month-long intrusion against a Russian IT service provider.
The initial access vector for NANOREMOTE remains unclear, though the attack chain includes a loader called WMLOADER, which mimics Bitdefender’s crash handler (BDReinit.exe) and decrypts shellcode to launch the backdoor.
Written in C++, NANOREMOTE performs host reconnaissance, executes files and commands, and transfers files to/from victim systems using the Google Drive API. It is also configured to communicate with a hard-coded, non-routable IP over HTTP to handle operator requests. All requests are sent as AES-CBC encrypted and Zlib-compressed JSON via /api/client with the User-Agent: NanoRemote/1.0.
The malware operates using 22 command handlers, enabling it to:
- Collect host system information
- Perform file and directory operations
- Execute portable executable (PE) files present on disk
- Clear system caches
- Upload/download files to Google Drive
- Pause, resume, or cancel ongoing file transfers
- Self-terminate
Elastic Labs identified a log artifact (wmsetup.log) uploaded from the Philippines on October 3, 2025, that can be decrypted by WMLOADER using the same 16-byte AES key as FINALDRAFT. This suggests both malware families likely share a common development environment and codebase. Stepanic notes that using the same key across different payloads indicates a unified build process.
NANOREMOTE demonstrates a highly covert and persistent capability, combining cloud-based C2 with advanced file management, making it a serious threat to sensitive environments.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
