NANOREMOTE Backdoor Hides C2 in Google Drive Traffic

Elastic Security Labs has profiled NANOREMOTE, a fully featured Windows backdoor that covertly uses the Google Drive API for command-and-control. The approach enables stealthy data theft and payload staging that blends into legitimate cloud traffic. Researchers also found notable code overlap with the FINALDRAFT (Squidoor) implant, which instead leverages the Microsoft Graph API, tying both to the REF7707 threat cluster.

Who is behind it: REF7707 (aka CL-STA-0049, Earth Alux, Jewelbug) is a suspected China-linked activity set observed targeting government, defense, telecommunications, education, and aviation organizations across Southeast Asia and South America since March 2023. In October 2025, Symantec reported a five-month intrusion at a Russian IT service provider attributed to the same group.

Initial access and loader: The initial delivery vector for NANOREMOTE is unknown. The observed chain features a loader dubbed WMLOADER that mimics Bitdefender’s crash handler (BDReinit.exe). WMLOADER decrypts shellcode that launches the backdoor.

What the malware can do: Written in C++, NANOREMOTE supports reconnaissance, command execution, and two-way file transfer via the Google Drive API. A built-in task management system queues downloads/uploads, pauses/resumes/cancels transfers, and generates refresh tokens to sustain access.

C2 traffic design: The backdoor is preconfigured to use a hard-coded, non-routable IP over HTTP. It sends JSON via POST requests, with data Zlib-compressed and AES-CBC encrypted using the 16-byte key 558bec83ec40535657833d7440001c00. All requests use the /api/client path and the User-Agent NanoRemote/1.0.

Command set: NANOREMOTE exposes 22 command handlers to:

• Collect host information
• Perform file and directory operations
• Run PE files resident on disk
• Clear cache
• Download/upload files to Google Drive
• Pause/resume/cancel data transfers
• Terminate itself

Links to FINALDRAFT: Elastic identified an artifact (wmsetup.log) uploaded to VirusTotal from the Philippines on October 3, 2025. WMLOADER can decrypt it with the same 16-byte key to reveal a FINALDRAFT implant, strongly suggesting a shared codebase and development pipeline. Researchers hypothesize the identical hard-coded key persists because the loader is built to work across multiple payloads.

Why it matters: Abusing popular cloud APIs like Google Drive and Microsoft Graph provides resilient, low-noise C2 channels that are harder to detect in enterprise environments.

Defender notes:

• Monitor for unusual Google Drive API usage, large or automated transfer patterns, and anomalous refresh token activity.
• Hunt for HTTP traffic using the path /api/client with the User-Agent NanoRemote/1.0.
• Be cautious of binaries masquerading as security software components such as BDReinit.exe.

Source: The Hacker News