Advisory ID: NCC-CSIRT-2025-027
Summary:
Elastic Security Labs discovered a new, fully featured Windows backdoor named NANOREMOTE that uses the Google Drive API as a stealthy channel for command-and-control (C2), payload staging and data exfiltration. NANOREMOTE implements a task management system for reliable file transfers (queueing, pause/resume, refresh token handling) and also speaks to a hard-coded non-routable HTTP endpoint for operator requests. The implant shows clear code and infrastructure overlap with the previously documented FINALDRAFT family (REF7707 activity cluster), suggesting a shared authoring environment or common operator.
Damage/Probability: Critical/High
Product(s):
- Microsoft Windows (desktop and server endpoints)
- Applications that can run userland loaders (e.g., MSVC/C++ runtime hosts)
- Any enterprise environment where Google Drive API endpoints are reachable from workstations
Version(s):
Not version-specific, affects Windows systems where the NANOREMOTE implant or its loader (WMLOADER) can be executed.
Platform(s):
Enterprise and government Windows hosts, especially in targeted sectors (telecom, government, defence, education, aviation, etc.).
Description:
Elastic Security Labs identified a multi-stage attack in which WMLOADER, disguised as a Bitdefender component, deploys the NANOREMOTE backdoor. The malware supports remote control, reconnaissance, and data exfiltration via Google Drive and encrypted HTTP communications, with shared artifacts indicating links to FINALDRAFT and possible shared development.
C2 and exfiltration mechanics: NANOREMOTE can register with Google Drive to refresh tokens and queue tasks for uploading exfiltrated files or downloading staged payloads. Operator requests can be processed either via Google Drive file exchange or the implant HTTP POST channel. This dual October 2025-channel design enhances resilience and stealth.
Attribution signals: Code similarities and shared cryptographic artifacts tie NANOREMOTE to the REF7707 cluster (also linked to FINALDRAFT / Squidoor), a group previously observed by multiple vendors (Unit42, Palo Alto Networks) targeting government and telecom entities. Symantec/Broadcom also reported related intrusions in October 2025. These correlations raise the likelihood of state-aligned espionage tradecraft.
Threat Types:
- Covert C2 abuse of legitimate cloud API (Google Drive API)
- Data staging & exfiltration via cloud storage APIs
- Multi-stage loader + backdoor (WMLOADER -> NANOREMOTE)
- Espionage / targeted information theft (REF7707-linked activity)
Impacts:
- Sensitive data can be staged and exfiltrated via trusted cloud services (e.g., Google Drive), reducing network detectability.
- The loader and backdoor provide remote code execution and persistent access, with legitimate cloud APIs and tokens hindering detection and attribution.
- Telemetry links the toolset to REF7707-like activity targeting government and critical sectors.
Solutions:
NCC-CSIRT recommend the following mitigation steps:
- Isolate suspected WMLOADER/NANOREMOTE hosts and collect key forensic artifacts for analysis.
- Revoke suspicious OAuth refresh tokens and audit Google Drive account activity; rotate affected credentials.
- Scan endpoints for known WMLOADER/NANOREMOTE indicators and quarantine infected systems.
- Block identified C2 endpoints and monitor for NanoRemote-related HTTP POST traffic.
- Enforce least-privilege cloud access by restricting OAuth scopes, applying conditional access, and monitoring token anomalies.
- Strengthen email and endpoint controls to prevent loader delivery and detect malicious shellcode.
- If compromise is confirmed, rebuild affected hosts, rotate all exposed credentials, and share IOCs with NCC-CSIRT and the national CERT.
References: