Dec 11, 2025Ravie LakshmananCyber Espionage / Home windows Safety
Cybersecurity researchers have disclosed particulars of a brand new fully-featured Home windows backdoor referred to as NANOREMOTE that makes use of the Google Drive API for command-and-control (C2) functions.
Based on a report from Elastic Safety Labs, the malware shares code similarities with one other implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a menace cluster often known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).
“One of many malware’s main options is centered round transport information forwards and backwards from the sufferer endpoint utilizing the Google Drive API,” Daniel Stepanic, principal safety researcher at Elastic Safety Labs, stated.
“This function finally ends up offering a channel for information theft and payload staging that’s tough for detection. The malware features a activity administration system used for file switch capabilities that embrace queuing obtain/add duties, pausing/resuming file transfers, canceling file transfers, and producing refresh tokens.”
REF7707 is believed to be a suspected Chinese language exercise cluster that has focused governments, protection, telecommunication, schooling, and aviation sectors in Southeast Asia and South America way back to March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion concentrating on a Russian IT service supplier.
The precise preliminary entry vector used to ship NANOREMOTE is at the moment not identified. Nevertheless, the noticed assault chain features a loader named WMLOADER that mimics a Bitdefender’s crash dealing with element (“BDReinit.exe”) and decrypts shellcode accountable for launching the backdoor.
Written in C++, NANOREMOTE is provided to carry out reconnaissance, execute recordsdata and instructions, and switch recordsdata to and from sufferer environments utilizing the Google Drive API. It is also preconfigured to speak with a hard-coded, non-routable IP deal with over HTTP to course of requests despatched by the operator and ship the response again.
“These requests happen over HTTP the place the JSON information is submitted by POST requests which are Zlib compressed and encrypted with AES-CBC utilizing a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic stated. “The URI for all requests use /api/shopper with Person-Agent (NanoRemote/1.0).”
Its main performance is realized by a set of twenty-two command handlers that enable it to gather host data, perform file and listing operations, run moveable executable (PE) recordsdata already current on disk, clear cache, obtain/add recordsdata to Google Drive, pause/resume/cancel information transfers, and terminate itself.
Elastic stated it recognized an artifact (“wmsetup.log”) uploaded to VirusTotal from the Philippines on October 3, 2025, that is able to being decrypted by WMLOADER with the identical 16-byte key to disclose a FINALDRAFT implant, indicating that the 2 malware households are possible the work of the identical menace actor. It is unclear as to why the identical hard-coded key’s getting used throughout each of them.
“Our speculation is that WMLOADER makes use of the identical hard-coded key because of being a part of the identical construct/growth course of that permits it to work with varied payloads,” Stepanic stated. “This seems to be one other robust sign suggesting a shared codebase and growth surroundings between FINALDRAFT and NANOREMOTE.”
