Elastic detects stealthy NANOREMOTE malware using Google Drive as C2

Elastic detects stealthy NANOREMOTE malware using Google Drive as C2

Pierluigi Paganini
December 12, 2025

Elastic found a new Windows backdoor, NANOREMOTE, similar to FINALDRAFT/REF7707, using the Google Drive API for C2.

Elastic Security Labs researchers uncovered NANOREMOTE, a new Windows backdoor that uses the Google Drive API for C2. Elastic says it shares code with the FINALDRAFT (Squidoor) implant, which uses Microsoft Graph API and is linked to threat group REF7707.

“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API.” reads the report published by Elastic. “This feature ends up providing a channel for data theft and payload staging that is difficult for detection.”

WMLOADER, a loader disguised as a Bitdefender executable with an invalid signature, prepares the process for shellcode execution using VirtualAlloc/VirtualProtect. The shellcode, decrypted via rolling XOR, searches for wmsetup.log and decrypts it with AES-CBC using a fixed key, loading the NANOREMOTE backdoor into memory. Similar loaders mimic Bitdefender and Trend Micro. NANOREMOTE is a 64-bit backdoor written in C++ that runs commands, moves files, and uses the Google Drive API via pipe-separated configs or the NR_GOOGLE_ACCOUNTS environment variable.

NANOREMOTE communicates over HTTP with a hard-coded, non-routable IP, receiving operator commands and returning the corresponding results.

“As mentioned previously, NANOREMOTE’s C2 communicates with a hard-coded IP address. These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00). The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).” continues the report.

NANOREMOTE supports 22 command handlers enabling full control over an infected Windows system. These handlers let attackers gather system info, modify beacon timing, terminate the implant, and manage files and directories (list, move, delete, create). The backdoor can execute commands, load PE files from disk or directly from memory, and change or retrieve the working directory.

It also includes advanced file-transfer capabilities using the Google Drive API, with queued download/upload tasks that can be paused, resumed, or canceled. These transfers blend into normal encrypted cloud traffic, complicating detection. Handlers also collect disk info, profile the victim, and maintain persistence and controlled teardown. The system uses custom PE loaders, Microsoft Detours for function hooking, and task queues to manage ongoing operations

“Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads. It’s not clear why the threat group behind these implants are not rotating the key, it’s possibly due to convenience or testing.” concludes the report. “This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon