Security researchers have uncovered a new Windows backdoor, dubbed NANOREMOTE, that leverages the Google Drive API for command-and-control (C2) communications. The malware uses legitimate cloud infrastructure to blend malicious traffic into normal enterprise activity, significantly complicating detection. Analysis indicates strong code and infrastructure overlap with FINALDRAFT (aka Squidoor), a previously documented implant attributed to a China-linked threat cluster tracked as REF7707.

Cloud service abuse has become a favored tactic among advanced threat actors. By hiding C2 traffic inside trusted platforms such as Google Drive or Microsoft Graph, attackers reduce the likelihood of triggering network-based security controls. NANOREMOTE fits squarely into this trend, reinforcing concerns that widely used SaaS platforms are increasingly being repurposed as covert attack infrastructure.

Elastic Security Labs disclosed details of NANOREMOTE after identifying artifacts linked to active intrusion activity. The malware communicates with operators primarily through the Google Drive API, enabling bidirectional data exchange that appears indistinguishable from legitimate cloud usage.

Researchers also identified links between NANOREMOTE and FINALDRAFT, another backdoor that uses Microsoft Graph API for C2. Both implants appear to be delivered by the same loader, WMLOADER, which masquerades as a Bitdefender crash-handling executable to evade suspicion during initial execution.

NANOREMOTE is written in C++ and supports a full suite of backdoor capabilities, including system reconnaissance, file manipulation, and command execution.

Key technical characteristics include:

The backdoor exposes 22 distinct command handlers, enabling operators to execute files, manage directories, collect host information, and terminate the implant on demand.

By abusing Google Drive for C2, NANOREMOTE significantly reduces the effectiveness of traditional perimeter defenses. Traffic to Google APIs is rarely blocked, especially in enterprise environments that depend on cloud collaboration tools.

The malware’s modular design and shared cryptographic keys with FINALDRAFT suggest a mature development pipeline capable of supporting long-term espionage campaigns rather than opportunistic attacks.

This discovery underscores a broader shift in threat actor tradecraft. Cloud platforms are no longer just targets—they are becoming infrastructure. Defenders must assume that trusted SaaS services can be abused as attack channels and adjust monitoring strategies accordingly.

Organizations relying heavily on Google Workspace may be especially exposed if API-level activity is not closely inspected.

Elastic Security Labs noted that shared encryption keys and loader behavior strongly suggest a common codebase and development environment between NANOREMOTE and FINALDRAFT.

The suspected operator, REF7707, has a documented history of targeting government, defense, telecommunications, education, and aviation sectors, indicating that NANOREMOTE is likely part of a broader intelligence-collection strategy rather than isolated malware development.