Unveiling NANOREMOTE: The Stealthy Malware Exploiting Google Drive for Covert Control
Cybersecurity experts have recently uncovered a sophisticated Windows backdoor named NANOREMOTE, which leverages the Google Drive API to establish covert command-and-control (C2) channels. This discovery highlights the evolving tactics of cyber adversaries who exploit legitimate cloud services to mask their malicious activities.
Elastic Security Labs’ analysis reveals that NANOREMOTE shares code similarities with another malware known as FINALDRAFT (also referred to as Squidoor). FINALDRAFT utilizes the Microsoft Graph API for its C2 operations and is linked to a threat group identified as REF7707. This group, also known by aliases such as CL-STA-0049, Earth Alux, and Jewelbug, has been active since at least March 2023, targeting sectors including government, defense, telecommunications, education, and aviation across Southeast Asia and South America.
Daniel Stepanic, a principal security researcher at Elastic Security Labs, emphasized the malware’s innovative use of the Google Drive API:
One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API. This feature ends up providing a channel for data theft and payload staging that is difficult for detection.
NANOREMOTE’s capabilities are extensive. It can perform reconnaissance, execute files and commands, and transfer files to and from compromised systems via the Google Drive API. The malware includes a task management system that supports queuing download/upload tasks, pausing or resuming file transfers, canceling file transfers, and generating refresh tokens.
The exact method by which NANOREMOTE infiltrates systems remains unclear. However, the attack sequence involves a loader named WMLOADER, which masquerades as Bitdefender’s crash handling component (BDReinit.exe). This loader decrypts shellcode responsible for initiating the backdoor.
Written in C++, NANOREMOTE is preconfigured to communicate with a hard-coded, non-routable IP address over HTTP. It processes operator requests and sends responses back, utilizing HTTP POST requests with JSON data that are Zlib compressed and encrypted using AES-CBC with a 16-byte key. The URI for all requests is /api/client, and the User-Agent string is NanoRemote/1.0.
The malware’s functionality is realized through 22 command handlers, enabling it to:
– Collect host information
– Perform file and directory operations
– Execute portable executable (PE) files already present on disk
– Clear cache
– Download/upload files to Google Drive
– Pause, resume, or cancel data transfers
– Terminate itself
An artifact named wmsetup.log, uploaded to VirusTotal from the Philippines on October 3, 2025, was found to be decryptable by WMLOADER using the same 16-byte key. This artifact revealed a FINALDRAFT implant, suggesting that both malware families are likely the work of the same threat actor.
The use of the same hard-coded key across both malware strains indicates a shared development environment. As Stepanic noted:
Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads. This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.
The emergence of NANOREMOTE underscores the increasing sophistication of cyber threats, particularly those exploiting trusted cloud services to evade detection. Organizations are urged to enhance their security measures, monitor for unusual activities involving cloud APIs, and educate employees about the risks associated with such advanced malware tactics.
