NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems
Summary:
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2. The malware exhibits code similarities with another implant, FINALDRAFT (aka Squidoor), which uses the Microsoft Graph API for C2 instead.
NANOREMOTE further evidences REF7707's employment of legitimate, high-reputation cloud service APIs (Google Drive, Microsoft Graph) for C2, stumping defenses by allowing traffic to blend in with normal organizational activity. There is overlap from both a code and a behavioral perspective. The use of a simple, hard-coded key across multiple distinct malware families suggests a standardized process within the group's malware development. Organizations should focus on analyzing network traffic to cloud APIs, looking for unusual transfer volumes, and monitoring for WMLOADER.
Suggested Corrections:
Elastic Recommendations:
One of the main behaviors to validate for defenders is the abuse of using legitimate services such as Google Drive API. Elastic Security has created YARA rules to identify this activity. A MITRE ATT&CK mapping for this threat has been provided in the blog post.
Link(s):
https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
https://www.elastic.co/security-labs/nanoremote
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2. The malware exhibits code similarities with another implant, FINALDRAFT (aka Squidoor), which uses the Microsoft Graph API for C2 instead.
- Threat Actor: Both NANOREMOTE and FINALDRAFT are likely linked to the suspected China-linked espionage cluster REF7707 (aka Earth Alux/Jewelbug), known for targeting governments, defense, telecom, education, and aviation sectors primarily in Southeast Asia and South America since at least March 2023.
- Key Feature: The malware's primary feature is shipping data via the Google Drive API, providing a C2 channel for data theft and payload staging. It includes a robust task management system for queuing, pausing, resuming, and canceling file transfers, and generating refresh tokens.
- C2 Communication: Besides the Google Drive C2, NANOREMOTE also communicates with a hard-coded, non-routable IP address over HTTP using the URI /api/client and User-Agent NanoRemote/1.0. The communication is protected because JSON data is Zlib compressed and encrypted with AES-CBC using a 16-byte hard-coded key.
- Delivery Vector/Execution: The initial access vector is unknown, but the observed attack chain involves a loader called WMLOADER. This loader is designed to mimic a Bitdefender Security program ("BDReinit.exe") and is responsible for decrypting and loading the NANOREMOTE backdoor.
- Broader Capabilities: The implant has 22 command handlers to perform host reconnaissance, execute files and commands, carry out file/directory operations, and manage file transfers to/from Google Drive.
- Shared Infrastructure: The AES key and WMLOADER used for NANOREMOTE are also associated with FINALDRAFT, strongly indicating that both malware families are developed by the same China-linked adversary (REF7707).
NANOREMOTE further evidences REF7707's employment of legitimate, high-reputation cloud service APIs (Google Drive, Microsoft Graph) for C2, stumping defenses by allowing traffic to blend in with normal organizational activity. There is overlap from both a code and a behavioral perspective. The use of a simple, hard-coded key across multiple distinct malware families suggests a standardized process within the group's malware development. Organizations should focus on analyzing network traffic to cloud APIs, looking for unusual transfer volumes, and monitoring for WMLOADER.
Suggested Corrections:
Elastic Recommendations:
One of the main behaviors to validate for defenders is the abuse of using legitimate services such as Google Drive API. Elastic Security has created YARA rules to identify this activity. A MITRE ATT&CK mapping for this threat has been provided in the blog post.
Link(s):
https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
https://www.elastic.co/security-labs/nanoremote