top of page
perceptive_background_267k.jpg

NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems

Published:

11 December 2025 at 13:16:00

Alert date:

11 December 2025 at 14:58:19

Source:

thehackernews.com

Click to open the original link from this advisory

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. The malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat actor. This represents a sophisticated approach to C2 communications by abusing legitimate cloud services to avoid detection.

Technical details

NANOREMOTE is a fully-featured Windows backdoor written in C++ that uses Google Drive API for command-and-control purposes. It is delivered via WMLOADER that mimics Bitdefender's BDReinit.exe crash handling component and decrypts shellcode to launch the backdoor. The malware communicates with a hard-coded, non-routable IP address over HTTP, sending JSON data through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00). It uses URI /api/client with User-Agent NanoRemote/1.0. The malware has 22 command handlers for reconnaissance, file operations, PE execution, cache clearing, Google Drive file transfers, and self-termination.

Mitigation steps:

Monitor for suspicious Google Drive API usage, detect communications to /api/client URI with NanoRemote/1.0 User-Agent, watch for BDReinit.exe processes that may be masquerading as legitimate Bitdefender components, implement network monitoring for encrypted HTTP POST requests with the identified encryption patterns.

Affected products:

Windows systems

Related links:

https://www.elastic.co/security-labs/nanoremote
https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
https://thehackernews.com/2025/10/chinese-threat-group-jewelbug-quietly.html
https://www.virustotal.com/gui/file/a0b0659e924d7ab27dd94f111182482d5c827562d71f8cafc2c44da2e549fe61/

Related CVE's:

Related threat actors:

IOC's:

BDReinit.exe, WMLOADER, AES-CBC key: 558bec83ec40535657833d7440001c00, URI: /api/client, User-Agent: NanoRemote/1.0, wmsetup.log, Hash: a0b0659e924d7ab27dd94f111182482d5c827562d71f8cafc2c44da2e549fe61

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page