Executive Summary

Security researchers at Elastic Security Labs have uncovered a sophisticated new Windows backdoor named NANOREMOTE. This C++ based malware employs a stealthy command-and-control (C2) technique, leveraging the legitimate Google Drive API to receive commands and exfiltrate data. This method allows the malware's traffic to be camouflaged within normal, encrypted cloud service activity, making it exceptionally difficult to detect with traditional network-based intrusion detection systems. NANOREMOTE exhibits functional similarities to the FINALDRAFT implant and appears to be part of an evolving toolset used by threat actors. Its capabilities include reconnaissance, remote command execution, and a robust file transfer management system, posing a significant threat to enterprises that rely on cloud services.

Threat Overview

NANOREMOTE represents a growing trend of malware abusing legitimate online services (also known as Living Off the Trusted Site - LOTS) for C2 operations. By using the Google Drive API, the threat actor can:

• Evade Detection: C2 traffic is encrypted via HTTPS and directed towards a legitimate, highly trusted domain (google.com), bypassing reputation-based blocklists and making it hard to distinguish from benign user activity.
• Stage Payloads: Attacker-controlled Google Drive folders can be used to store secondary payloads or scripts for the malware to download and execute.
• Exfiltrate Data: Stolen data can be uploaded to Google Drive, appearing as normal file synchronization activity.

Elastic Security Labs discovered a sample of NANOREMOTE uploaded to VirusTotal from the Philippines on October 3, 2025. This sample was found in a file named wmsetup.log, a filename also associated with the PATHLOADER malware, which has been used to deploy FINALDRAFT. This connection suggests that the actors behind NANOREMOTE may be the same as or collaborating with those using the FINALDRAFT toolset.

Technical Analysis

NANOREMOTE is a modular backdoor with a comprehensive feature set designed for stealth and control.

Malware Capabilities

• C2 Communication: All C2 functions are routed through the Google Drive API. The malware likely uses OAuth tokens, possibly stolen from the user's machine or embedded within the malware, to authenticate to the service.
• Task Management: It includes a sophisticated system for managing tasks, allowing operators to queue, pause, resume, and cancel file uploads and downloads. This suggests an intent to exfiltrate large volumes of data.
• Reconnaissance: The malware can gather information about the compromised system and its network environment.
• Remote Execution: It can execute arbitrary commands and files delivered via the Google Drive C2 channel.

MITRE ATT&CK TTPs

• Command and Control:
  • T1071.001 - Application Layer Protocol: Web Protocols: The underlying communication uses HTTPS.
  • T1102.002 - Web Service: Bidirectional Communication: The core TTP. The malware uses Google Drive as a C2 channel, abusing a legitimate web service.
• Exfiltration:
  • T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage: Stolen data is uploaded to the attacker's Google Drive account.
• Execution:
  • T1059 - Command and Scripting Interpreter: The backdoor is capable of executing received commands and scripts.
• Defense Evasion:
  • T1027 - Obfuscated Files or Information: The malware is likely packed or obfuscated to avoid static analysis.

Impact Assessment

The use of legitimate cloud services for C2 poses a major challenge for security teams. For businesses, especially the millions that use Google Workspace, this tactic blurs the line between malicious and legitimate network traffic. A successful NANOREMOTE infection could lead to long-term, undetected data exfiltration, corporate espionage, and the deployment of further malware like ransomware. The difficulty in detection means the malware could dwell in a network for an extended period, giving attackers ample time to achieve their objectives.

Detection & Response

Detecting malware like NANOREMOTE requires shifting focus from traditional network signatures to behavioral analysis and API monitoring.

Detection Strategies:

1. Cloud API Auditing (D3-CMA): For organizations using Google Workspace, enable and ingest Google Cloud audit logs into your SIEM. Monitor for anomalous API activity, such as a user account accessing Google Drive from a new or unusual process, or a service account performing unexpected file uploads.
2. Endpoint Analysis: Use an EDR to monitor for processes making unexpected network connections to *.googleapis.com. While many legitimate applications do this, a process that has no business using cloud storage (e.g., a non-browser system process) making these connections is highly suspicious.
3. Network Traffic Analysis: While difficult, it's not impossible. Look for periodic, beacon-like connections to Google Drive APIs that are inconsistent with user behavior. Analyze the size and frequency of data transfers. A process consistently uploading small amounts of data could be a C2 heartbeat, while large, sustained uploads could be data exfiltration.

Mitigation

1. Principle of Least Privilege: Ensure users and applications only have the permissions they absolutely need. Limit the ability of service accounts to access broad sets of data in cloud storage.
2. Application Control: Use application allowlisting to prevent unknown executables like wmsetup.log from running in the first place.
3. Cloud Access Security Broker (CASB): Deploy a CASB to gain visibility into and control over how corporate data is accessed and shared in cloud services like Google Drive. A CASB can help enforce policies and detect anomalous behavior.
4. Egress Traffic Filtering: While the destination is trusted, you can still apply some filtering. For servers that have no need to access Google services, block all outbound connections to *.googleapis.com and *.google.com.