Key Findings

• Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations.

• NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect.

• The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert channel for transferring data and staging payloads.

• NANOREMOTE is linked to the FINALDRAFT espionage group based on code reuse and the use of identical encryption keys.

Background

NANOREMOTE is believed to be the work of a seasoned espionage threat actor that has been behind previous high-profile campaigns. The backdoor was first observed in October 2025 and is notable for its ability to "ship data back and forth from the victim endpoint using the Google Drive API."

Infection Chain

The infection chain begins with a deceptive loader component called WMLOADER, which masquerades as a legitimate Bitdefender security program. Once executed, WMLOADER performs a series of decryption steps to reveal and execute the NANOREMOTE backdoor in memory.

Technical Details

• NANOREMOTE is a fully-featured implant written in C++ that integrates advanced functionality from open-source projects to enhance its stealth and stability.

• It uses the libPeConv library to load and execute Portable Executable (PE) files directly from disk or memory, bypassing the standard Windows loader to avoid detection.

• The malware utilizes Microsoft Detours to hook critical process termination functions, making it resilient to failures in individual worker threads.

• NANOREMOTE employs a robust task management system to handle data transfers, allowing it to queue, pause, and resume file transfers, as well as generate refresh tokens to maintain access without user interaction.

Linking NANOREMOTE to FINALDRAFT

Elastic Security Labs has linked NANOREMOTE to the REF7707 threat cluster, which was previously associated with the FINALDRAFT malware family. The connection is supported by strong forensic evidence, including:

• Identical code for generating GUIDs and hashing them with the Fowler-Noll-Vo (FNV) function

• Reuse of the exact same AES key (3A5AD78097D944AC) to decrypt the payloads for both NANOREMOTE and FINALDRAFT

Conclusion

NANOREMOTE represents a sophisticated new Windows backdoor that leverages the trusted infrastructure of Google Drive to evade detection and exfiltrate sensitive data. The malware's use of legitimate cloud services for C2 operations and its connection to the FINALDRAFT espionage group highlight the evolving tactics of advanced threat actors.

Sources

• https://securityonline.info/new-nanoremote-backdoor-uses-google-drive-api-for-covert-c2-and-links-to-finaldraft-espionage-group/

• https://x.com/the_yellow_fall/status/2000396600125088186

• https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html