NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems

Published:

11 december 2025 om 13:16:00

Alert date:

11 december 2025 om 14:58:19

Source:

thehackernews.com

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. The malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat actor. This represents a sophisticated approach to C2 communications by abusing legitimate cloud services to avoid detection.

Technical details

NANOREMOTE is a fully-featured Windows backdoor written in C++ that uses Google Drive API for command-and-control purposes. It is delivered via WMLOADER that mimics Bitdefender's BDReinit.exe crash handling component and decrypts shellcode to launch the backdoor. The malware communicates with a hard-coded, non-routable IP address over HTTP, sending JSON data through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00). It uses URI /api/client with User-Agent NanoRemote/1.0. The malware has 22 command handlers for reconnaissance, file operations, PE execution, cache clearing, Google Drive file transfers, and self-termination.

Mitigation steps:

Monitor for suspicious Google Drive API usage, detect communications to /api/client URI with NanoRemote/1.0 User-Agent, watch for BDReinit.exe processes that may be masquerading as legitimate Bitdefender components, implement network monitoring for encrypted HTTP POST requests with the identified encryption patterns.

Affected products:

Windows systems