- A new Windows backdoor named NANOREMOTE uses the Google Drive API for command-and-control operations.
- NANOREMOTE shares code characteristics with the FINALDRAFT implant linked to the suspected Chinese threat group REF7707.
- The Malware enables data theft and payload staging via Google Drive with advanced file transfer management features.
- The attack vector for NANOREMOTE remains unknown, but it uses a loader called WMLOADER for deployment.
- NANOREMOTE communicates through encrypted HTTP requests and supports 22 commands for reconnaissance and file operations.
Cybersecurity researchers disclosed details of NANOREMOTE, a sophisticated Windows backdoor discovered in December 2025. This malware employs the Google Drive API to send and receive data for command-and-control (C2) purposes. It shares similarities with FINALDRAFT, another implant that uses Microsoft‘s Graph API and is linked to the threat group REF7707, a cluster associated with cyber espionage targeting multiple sectors globally.
NANOREMOTE‘s main function is covert data exchange via Google Drive. It includes a task management system capable of queuing, pausing, resuming, and canceling file transfers, along with generating refresh tokens to maintain ongoing operations. These features complicate detection and enable effective data theft and payload management.
The initial infection method is not confirmed. However, observed attacks include WMLOADER, a loader that imitates a Bitdefender crash handler to decrypt shellcode, which launches the backdoor. The malware is developed in C++ and allows operators to conduct reconnaissance, execute commands, and transfer files to and from victim systems through Google Drive API.
NANOREMOTE also connects to a hard-coded, non-routable IP address using HTTP, exchanging encrypted JSON data. This communication uses Zlib compression and AES-CBC encryption with a fixed 16-byte key. The malware contains 22 command handlers to gather host data, manipulate files and directories, run portable executable files, control data transfers, and self-terminate.
An artifact named “wmsetup.log” found on VirusTotal on October 3, 2025, was decrypted by WMLOADER using the same encryption key, revealing FINALDRAFT code. This suggests both malware families share a development environment and possibly the same threat actor, as stated by Elastic Security Labs.
REF7707, attributed to suspected Chinese origin, has targeted governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America since March 2023. A recent intrusion attributed to this group involved a Russian IT services provider and lasted five months, according to findings published in October 2025.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump Explores C5 Bloc as New G7 Competitor Including BRICS
- Klarna Partners With Privy to Launch User-Friendly Crypto Wallet
- Bitcoin price bottom predicted in 2026 with $99K rebound ahead
- WIRTE APT Targets Middle East with AshTag Malware Since 2020
- US Dollar Hits 10-Year Low as Forex Bets Shift to Asian Currencies
