NANOREMOTE, cousin of FINALDRAFT

In October 2025, security researchers uncovered NANOREMOTE, a sophisticated new Windows backdoor observed in telemetry. This fully-featured implant shares characteristics with malware detailed in REF7707 and bears resemblance to the FINALDRAFT implant, strongly suggesting development by an espionage-focused threat actor. A critical feature of NANOREMOTE is its ability to facilitate data exfiltration and payload staging by leveraging the Google Drive API, a technique that significantly complicates detection efforts.

The observed infection chain begins with WMLOADER, which masquerades as a legitimate Bitdefender Security program, BDReinit.exe, despite having an invalid digital signature. Upon execution, WMLOADER allocates memory and prepares to host embedded shellcode, located at RVA 0x193041, which is decrypted using a rolling XOR algorithm. This shellcode then searches for a file named wmsetup.log in the same directory. It decrypts this log file using AES-CBC with a 16-byte ASCII key, 3A5AD78097D944AC, subsequently executing the NANOREMOTE backdoor directly in memory.

NANOREMOTE itself is a 64-bit Windows executable written in C++ without obfuscation, designed for reconnaissance, command execution, and extensive file transfers. The observed sample communicated with a hard-coded non-routable IP address, indicating it was likely generated from a builder. For Google Drive API authentication, NANOREMOTE uses a pipe-separated configuration containing Client ID, Client Secret, and Refresh Token fields, with a fallback mechanism to accept this configuration via the NR_GOOGLE_ACCOUNTS environment variable. C2 communication occurs over HTTP POST requests to the /api/client URI using a NanoRemote/1.0 User-Agent, where JSON data is Zlib compressed and AES-CBC encrypted with the key 558bec83ec40535657833d7440001c00. Each infected host is identified by a unique GUID, generated via CoCreateGuid and hashed with the Fowler-Noll-Vo (FNV) function. Notably, the malware includes a process-wide crash handler that generates a Windows minidump with MiniDumpWithFullMemory, a practice potentially used for program triage that could expose sensitive data. A unique string formatter used for these dump files has been linked to a Chinese-based software development website.

The backdoor’s core functionality is driven by 22 command handlers. These handlers enable a wide range of capabilities, including collecting extensive host-based information such as internal/external IP addresses, username, hostname, administrator status, process path, OS version, and process ID. Other critical functions include modifying beacon timeout intervals, listing and managing folder contents, gathering storage disk information using Windows API functions like GetLogicalDrives and GetDiskFreeSpaceExW, creating and deleting directories, and even a custom PE loading capability for executing PE files from disk without the traditional Windows loader, leveraging the libPeConv library. Security teams should prioritize monitoring network traffic for unusual Google Drive API usage, scrutinize processes attempting to create MiniDumpWithFullMemory outside of expected system behavior, and establish detections for the specified C2 indicators and decryption keys to identify this advanced espionage tool.

To read the complete article see: Full Article