Cyber Espionage / Windows Security

Security researchers have analyzed a fully-featured Windows backdoor dubbed NANOREMOTE that abuses the Google Drive API for command-and-control (C2) operations.

According to a report from Elastic Security Labs, the malware exhibits code overlap with another implant called FINALDRAFT (aka Squidoor), which instead relies on the Microsoft Graph API for C2. FINALDRAFT has been linked to a threat cluster tracked as REF7707 (also known as CL-STA-0049, Earth Alux, and Jewelbug).

“One of the malware’s core capabilities is moving data between the compromised endpoint and the operator via the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.

“This mechanism effectively provides a channel for exfiltration and payload staging that blends into legitimate cloud traffic, complicating detection. The malware implements a task management system for file operations, including queuing download/upload jobs, pausing and resuming transfers, canceling in-flight transfers, and generating refresh tokens.”

REF7707 is assessed as a likely China-based activity cluster that has gone after government, defense, telecommunications, education, and aviation organizations in Southeast Asia and South America since at least March 2023, according to Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec linked the same group to a five-month intrusion against a Russian IT service provider.

The precise initial access vector used to deploy NANOREMOTE has not yet been identified. The observed intrusion flow, however, includes a loader dubbed WMLOADER that masquerades as Bitdefender’s crash handling component (“BDReinit.exe”) and decrypts shellcode that subsequently initializes the backdoor.

Developed in C++, NANOREMOTE supports host reconnaissance, execution of files and arbitrary commands, and bidirectional file transfer between victim networks and Google Drive. It is also configured to talk to a hard-coded, non-routable IP address over HTTP to receive operator instructions and return results.

“These requests are issued over HTTP, where JSON payloads are sent via POST, Zlib-compressed, and encrypted using AES-CBC with a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said. “All requests use the /api/client URI path with the User-Agent (NanoRemote/1.0).”

Its main capability surface is exposed through 22 command handlers that enable host data collection, file and directory manipulation, execution of portable executable (PE) files already present on disk, cache cleanup, upload and download to Google Drive, control over transfer state (pause, resume, cancel), and self-removal.

Elastic also identified an artifact (“wmsetup.log“) uploaded to VirusTotal from the Philippines on October 3, 2025, which can be decrypted by WMLOADER using the same 16-byte key to reveal a FINALDRAFT implant. This strongly suggests both malware families are maintained by the same operator. The rationale for reusing the same hard-coded key across the tooling remains unknown.

“Our current hypothesis is that WMLOADER reuses the same hard-coded key because it is produced as part of a shared build or development pipeline that supports multiple payloads,” Stepanic said. “This provides additional evidence that FINALDRAFT and NANOREMOTE are built from a common codebase and development environment.”

Found this analysis useful for your monitoring and detection work? Follow us on Google News, Twitter and LinkedIn for more security-focused content.