NANOREMOTE Malware Leverages Google Drive API for Covert Windows Control

NANOREMOTE Malware Uses Google Drive API for Hidden Control

NANOREMOTE is a newly discovered, fully-featured Windows backdoor that leverages the Google Drive API for command-and-control (C2) operations; it shares code similarities with FINALDRAFT, a malware utilizing Microsoft Graph API, both linked to the threat cluster REF7707. The malware’s data transfer functionality, utilizing Google Drive, presents a significant challenge for detection.

Why This Matters

Traditional intrusion detection systems often focus on network-based C2 channels. NANOREMOTE bypasses these defenses by tunneling commands through a legitimate service like Google Drive, making identification significantly harder. The potential scale of compromise is substantial, as REF7707 has targeted numerous sectors, including government and defense, with successful intrusions costing organizations millions in remediation and data loss.

Key Insights

• FINALDRAFT/Squidoor connection, 2025: NANOREMOTE shares code with FINALDRAFT, suggesting a common developer or toolset.
• API-based C2: Utilizing APIs like Google Drive and Microsoft Graph for C2 provides a stealthy communication channel.
• REF7707 attribution: The threat actor REF7707 is suspected of Chinese origins and has been active since at least March 2023.

Practical Applications

• Use Case: A targeted organization in Southeast Asia experiences data exfiltration via Google Drive, initially attributed to legitimate user activity, but later revealed as NANOREMOTE activity.
• Pitfall: Relying solely on network signature-based detection for C2 traffic, as API-based communication blends with normal service usage.

References:

• https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html