NANOREMOTE: New windows Backdoor Leverages Google Drive API for C2
Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.
According to a report from Elastic Security Labs, the malware shares code similarities wiht another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).
“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.
“This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.”
REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per palo alto Networks.
New Malware Families, NanoRemote and FinalDraft, Linked to the Same threat Actor
Security researchers at Elastic have identified two distinct malware families, NanoRemote and FinalDraft, exhibiting strong indicators of being developed and operated by the same threat actor. The findings suggest a shared codebase and progress habitat between the two.
NanoRemote, written in C++, utilizes a loader named WMLOADER that mimics a legitimate Bitdefender component, BDReinit.exe, to decrypt shellcode responsible for launching the backdoor.The malware is capable of extensive reconnaissance, file and command execution, and data transfer leveraging the Google Drive API.
Communication between NanoRemote and its command-and-control server occurs over HTTP, specifically using POST requests to the /api/client URI with a User-Agent of “NanoRemote/1.0”. These requests are secured with Zlib compression and AES-CBC encryption using a consistent 16-byte key: 558bec83ec40535657833d7440001c00. The malware communicates with a hard-coded, non-routable IP address. https://www.elastic.co/blog/nanoremote-and-finaldraft-malware-families
NanoRemote boasts 22 command handlers enabling a wide range of functionalities, including host details gathering, file and directory manipulation, execution of PE files already on the compromised system, cache clearing, and file upload/download to and from Google Drive. It also allows for pausing, resuming, and canceling data transfers, as well as self-termination. https://www.elastic.co/blog/nanoremote-and-finaldraft-malware-families
The connection to FinalDraft was established through the identification of a file, wmsetup.log (https://www.virustotal.com/gui/file/a0b0659e924d7ab27dd94f111182482d5c827562d71f8cafc2c44da2e549fe61/), uploaded to VirusTotal from the Philippines on October 3, 2025. This file could be decrypted by WMLOADER using the same 16-byte AES key, revealing a FinalDraft implant.
Researchers hypothesize that the reuse of the hard-coded key stems from a shared build or development process, allowing WMLOADER to function with various payloads. https://www.elastic.co/blog/nanoremote-and-finaldraft-malware-families