Key Takeaways
- A new Windows backdoor called NANOREMOTE has been discovered, which uses the Google Drive API for command-and-control (C2) purposes.
- The malware shares code similarities with another implant called FINALDRAFT, which employs the Microsoft Graph API for C2.
- NANOREMOTE is attributed to a threat cluster known as REF7707, which is believed to be a suspected Chinese activity cluster that has targeted various sectors in Southeast Asia and South America.
- The malware is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API.
- The exact initial access vector used to deliver NANOREMOTE is currently not known, but the observed attack chain includes a loader named WMLOADER that mimics Bitdefender’s crash handling component.
Introduction to NANOREMOTE
The cybersecurity landscape has witnessed the emergence of a new fully-featured Windows backdoor called NANOREMOTE. This malware utilizes the Google Drive API for command-and-control (C2) purposes, making it a significant threat to organizations and individuals alike. According to a report from Elastic Security Labs, NANOREMOTE shares code similarities with another implant codenamed FINALDRAFT, which employs the Microsoft Graph API for C2. This similarity suggests that the two malware families may be the work of the same threat actor. FINALDRAFT is attributed to a threat cluster known as REF7707, which is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023.
Malware Capabilities and Features
NANOREMOTE is equipped with a range of features that enable it to perform various malicious activities. One of its primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API. This feature provides a channel for data theft and payload staging that is difficult to detect. The malware includes a task management system used for file transfer capabilities, including queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens. Additionally, NANOREMOTE is written in C++ and is capable of performing reconnaissance, executing files and commands, and transferring files to and from victim environments using the Google Drive API. It is also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back.
Communication and Encryption
The communication between NANOREMOTE and its command-and-control server occurs over HTTP, where JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key. The URI for all requests uses /api/client with User-Agent (NanoRemote/1.0). This encryption and compression make it challenging for security systems to detect and intercept the communication. Furthermore, the malware’s primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.
Attribution and Relationship to FINALDRAFT
The attribution of NANOREMOTE to REF7707 is based on the similarity in code with FINALDRAFT. Elastic Security Labs identified an artifact ("wmsetup.log") uploaded to VirusTotal from the Philippines on October 3, 2025, that’s capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant. This suggests that the two malware families are likely the work of the same threat actor. The use of the same hard-coded key across both malware families is unclear, but it may be due to being part of the same build/development process that allows it to work with various payloads. This shared codebase and development environment between FINALDRAFT and NANOREMOTE is a strong signal that they are related.
Conclusion and Implications
The discovery of NANOREMOTE highlights the evolving nature of cyber threats and the need for organizations to stay vigilant and proactive in their security measures. The use of legitimate services like Google Drive API for malicious purposes makes it challenging for security systems to detect and intercept the communication. The attribution of NANOREMOTE to REF7707, a suspected Chinese activity cluster, suggests that the threat actor is continuing to evolve and expand its capabilities. As the cybersecurity landscape continues to evolve, it is essential for organizations to stay informed and adapt their security measures to counter emerging threats like NANOREMOTE.
