NANOREMOTE Backdoor

Cybersecurity researchers have uncovered a fully-featured Windows backdoor named NANOREMOTE, which leverages the Google Drive API for its Command-and-Control (C2) operations. This malware exhibits sophisticated capabilities for data exfiltration and remote operations, making it a significant threat to targeted organizations.

Links to Previous Threat Activity

NANOREMOTE shares notable code similarities with another implant, known as FINALDRAFT (also referred to as Squidoor), which utilizes the Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster designated REF7707 (also known as CL-STA-0049, Earth Alux, and Jewelbug).

REF7707 is believed to be a suspected Chinese cyber espionage group that has targeted:

• Government agencies
• Defense organizations
• Telecommunications companies
• Educational institutions
• Aviation sectors

The group's activity has been observed in Southeast Asia and South America since March 2023. Notably, in October 2025, researchers linked REF7707 to a five-month intrusion against a Russian IT service provider.

Malware Capabilities and Architecture

NANOREMOTE's core functionality revolves around leveraging the Google Drive API for both data exfiltration and payload staging, creating a discreet and difficult‑to-detect communication channel for attackers. Its task management system is designed to queue file transfers, handle the pausing and resuming of those transfers, allow operators to cancel ongoing operations, and generate refresh tokens to maintain persistent activity.

The backdoor itself is built in C++ and is capable of performing extensive reconnaissance on infected hosts, executing files and system commands, and moving data between compromised environments and Google Drive. It also maintains communication with a hard‑coded, non‑routable IP address using standard HTTP traffic. During this communication, JSON data is sent through POST requests after being compressed with Zlib and encrypted using AES‑CBC with a 16‑byte key (558bec83ec40535657833d7440001c00). All outbound requests rely on the /api/client path and identify themselves using the NanoRemote/1.0 User-Agent string.

The malware relies on a set of 22 command handlers that collectively enable it to gather system information, manipulate files and directories, execute portable executable files already present on disk, clear cached data, control the movement of files to and from Google Drive, and terminate its own operation when instructed.

The infection chain begins with a loader known as WMLOADER, although the method used to deliver NANOREMOTE to victims remains unknown. WMLOADER masquerades as the crash-handling component BDReinit.exe, a file typically associated with a legitimate cybersecurity tool, and is responsible for decrypting the shellcode that ultimately launches the backdoor.

Launching The Backdoor

An artifact named wmsetup.log, discovered in the Philippines on October 3, 2025, can be decrypted by WMLOADER using the same 16-byte key. This log revealed a FINALDRAFT implant, suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.

The working hypothesis is that WMLOADER uses the same hard-coded key due to its integration in a unified build process designed to handle multiple payloads.