New NANOREMOTE Backdoor Uses Google Drive API for Covert C2 and Links to FINALDRAFT Espionage Group
Ddos 
NANOREMOTE infection chain | Image: Elastic Security Labs
Elastic Security Labs has uncovered a sophisticated new Windows backdoor that leverages the trusted infrastructure of Google Drive to evade detection and exfiltrate sensitive data. Dubbed NANOREMOTE, the malware was first observed in October 2025 and is believed to be the work of a seasoned espionage threat actor linked to previous high-profile campaigns.
The backdoor is notable for its use of legitimate cloud services for command-and-control (C2) operations, allowing it to blend its malicious traffic seamlessly with normal network activity.
The most distinct feature of NANOREMOTE is its ability to “ship data back and forth from the victim endpoint using the Google Drive API”. By using OAuth 2.0 tokens to authenticate with Google’s servers, the malware creates a covert channel for data theft and payload staging that is extremely difficult for traditional security tools to detect.
The malware employs a robust task management system to handle these transfers. It can queue download and upload tasks, pause and resume file transfers, and even generate refresh tokens to maintain access without user interaction.
The infection chain begins with a deceptive loader component known as WMLOADER. This loader masquerades as a legitimate security program, specifically a Bitdefender crash handler named BDReinit.exe. However, unlike the real software, this file carries an invalid digital signature.
Once executed, WMLOADER performs a series of complex decryption steps:
- Shellcode Decryption: It uses a rolling XOR algorithm to decrypt shellcode embedded within itself.
- Payload Loading: The shellcode searches for a file named wmsetup.log in the same directory.
- Final Decryption: It decrypts this log file using AES-CBC with a hard-coded 16-byte key (3A5AD78097D944AC) to reveal and execute the NANOREMOTE backdoor in memory.
NANOREMOTE is a fully-featured implant written in C++ that integrates advanced functionality from open-source projects to enhance its stealth and stability.
- Custom PE Loading: It uses the libPeConv library to load and execute Portable Executable (PE) files directly from disk or memory, bypassing the standard Windows loader to avoid detection.
- API Hooking: The malware utilizes Microsoft Detours to hook critical process termination functions like ExitProcess and FatalExit. This resiliency mechanism prevents a failure in a single worker thread from crashing the entire malware process.
Elastic Security Labs has linked NANOREMOTE to REF7707, a threat cluster previously associated with the FINALDRAFT malware family. The connection is supported by strong forensic evidence:
Code Reuse: Both implants share identical code for generating GUIDs and hashing them with the Fowler-Noll-Vo (FNV) function.
Shared Encryption Keys: The most damning evidence is the reuse of the exact same AES key (3A5AD78097D944AC) to decrypt the payloads for both NANOREMOTE and FINALDRAFT.
“This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE,” the report concludes.
Donate