Security researchers have uncovered a new Windows backdoor dubbed NANOREMOTE, a fully loaded piece of malware that quietly uses the Google Drive API as its command and control channel, a clever trick that makes its traffic blend in with everyday cloud activity.
The discovery comes from Elastic Security Labs, which says NANOREMOTE shares notable code overlap with a previously documented backdoor called FINALDRAFT (also known as Squidoor). FINALDRAFT has been linked to the threat actor REF7707, also tracked as Earth Alux or Jewelbug, a long-running, suspected China aligned group known for targeting government, telecom, defense, and education organizations across Southeast Asia and South America.
According to Daniel Stepanic of Elastic, NANOREMOTE leans heavily on Google Drive not just for basic communications, but for managing data theft and staging additional payloads. The malware comes with a surprisingly mature tasking system: it can queue uploads and downloads, pause and resume them, cancel transfers, and even generate Google API refresh tokens when needed. In other words, this isn’t a quick hack, it’s a well maintained tool.
How NANOREMOTE Lands on a System
Elastic hasn’t yet confirmed how the backdoor gets its initial foothold. What is clear is that infections involve a loader known as WMLOADER, which pretends to be a Bitdefender crash handler (BDReinit.exe). Behind the disguise, WMLOADER decrypts shellcode that eventually launches NANOREMOTE.
Once active, the C++ implant can:
1. Gather host information
2. Execute files and commands
3. Perform file and directory operations
4. Upload and download files using Google Drive
5. Manage PE execution from disk
6. Clear its own cache
7. Pause, resume, or cancel file transfers
8. Terminate itself when instructed
How It Communicates
Although Google Drive is the headline feature, NANOREMOTE also includes a secondary communication channel. It talks to a hard-coded, non routable IP address over HTTP, sending encrypted and compressed JSON commands using the path /api/client and the user-agent string NanoRemote/1.0. Traffic is encrypted using AES CBC with a 16 byte key, the same key used by FINALDRAFT and even by WMLOADER.
This overlap wasn’t lost on Elastic. In fact, the team found a file uploaded to VirusTotal from the Philippines that could be decrypted by WMLOADER using that shared key and inside was a FINALDRAFT sample. That strongly supports the idea that both implants come from the same developers and likely the same threat actor.
A Shared Development Pipeline
Why would two different backdoors use the exact same hard-coded key? Elastic’s view is simple: both NANOREMOTE and FINALDRAFT are probably built within the same developer ecosystem, where WMLOADER works as a universal delivery component. The shared key is less a mistake and more a sign of standardized tooling behind this threat cluster.
REF7707 has been expanding its operational footprint, including a five month intrusion into a Russian IT service provider in late 2025. NANOREMOTE appears to be the next step in the group’s evolving toolkit and its use of mainstream cloud APIs will make detection even harder for defenders.
Source: The Hacker News
December 12, 2025
December 12, 2025
December 12, 2025
November 23, 2025
September 08, 2025
October 07, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
