Cybersecurity researchers have released new findings on a fully featured Windows backdoor known as Nanoremote, a tool that uses the Google Drive API as a command and control mechanism to communicate with its operators. The discovery was detailed by Elastic Security Labs, which identified notable code similarities between Nanoremote and an earlier malware strain called Finaldraft, also known as Squidoor. Finaldraft is linked to a threat cluster tracked as REF7707, also referred to as CL STA 0049, Earth Alux and Jewelbug. This cluster has been observed targeting organizations in government, defense, telecommunication, education and aviation sectors across Southeast Asia and South America since at least March 2023, based on previous reporting from security teams including Palo Alto Networks Unit 42. More recent findings from Symantec in October 2025 tied REF7707 to a months long intrusion affecting a Russian IT services provider, suggesting expanded targeting and a continued operational footprint.
Elastic Security Labs explained that Nanoremote stands out due to its heavy reliance on the Google Drive API for shuttling data between the operator and compromised systems. Principal security researcher Daniel Stepanic stated that this technique provides a stealthy channel for moving data in and out of victim environments while allowing payload staging operations that are difficult for defenders to detect. Nanoremote includes a detailed task management module that supports creation, queuing, pausing, resuming and cancellation of file transfer jobs, along with mechanisms to generate refresh tokens for ongoing access. The malware is written in C++ and contains a flexible command processing architecture that enables collection of host system information, execution of commands, launching of portable executable files stored on disk and management of files and directories. Communications with its operators include structured JSON data that is submitted over HTTP through POST requests and further compressed using Zlib before being encrypted with AES CBC using a hard coded sixteen byte key.
The malware is deployed using a loader referred to as WMLOADER, which presents itself as a legitimate Bitdefender crash handling component named BDReinit.exe. This loader decrypts embedded shellcode that launches the Nanoremote payload. The observed build of Nanoremote is preconfigured to contact a non routable IP address for initial instruction processing, although its primary command and control functions are embedded within its Google Drive API interactions. Elastic researchers identified twenty two distinct command handlers within the backdoor, enabling it to carry out data collection, transfer files, manage directory structures, move payloads through Google Drive, clear its cache, disable its operations and exit upon command. These extensive functions indicate a toolset designed for long term access and detailed control of victim systems.
Further analysis revealed an artifact known as wmsetup.log that was uploaded to VirusTotal from the Philippines on October 3, 2025. This file could be decrypted by WMLOADER using the same sixteen byte key and was found to contain a Finaldraft implant. The shared decryption key, along with multiple code-level overlaps, reinforces the assessment that both Nanoremote and Finaldraft originate from the same development ecosystem. Researchers noted that the consistent use of the hard coded key may reflect a shared build process intended to support multiple payloads without requiring individual key management. Stepanic stated that these indicators point to a common codebase and development environment supporting both malware families, strengthening the linkage between Nanoremote and previously tracked REF7707 activity.
The ongoing analysis of Nanoremote underscores the continued evolution of toolsets used by advanced activity clusters and highlights the growing use of legitimate cloud services for covert communications. The findings also contribute to broader understanding of how threat clusters such as REF7707 maintain persistent access and adapt their capabilities across different operational contexts.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
