Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.
According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).
“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.
“This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.”
REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider.
The exact initial access vector used to deliver NANOREMOTE is currently not known. However, the observed attack chain includes a loader named WMLOADER that mimics Bitdefender’s crash handling component (“BDReinit.exe”) and decrypts shellcode responsible for launching the backdoor.
Written in C++, NANOREMOTE is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API. It’s also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back.
“These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said. “The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).”
Its primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.
Elastic said it identified an artifact (“wmsetup.log“) uploaded to VirusTotal from the Philippines on October 3, 2025, that’s capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant, indicating that the two malware families are likely the work of the same threat actor. It’s unclear as to why the same hard-coded key is being used across both of them.
“Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads,” Stepanic said. “This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.”
