""One of the malware's primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API," Daniel Stepanic, principal security researcher at Elastic Security Labs, said. "This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.""
"According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider."
NANOREMOTE is a fully-featured Windows backdoor implemented in C++ that leverages the Google Drive API for command-and-control and file transfer. The implant performs reconnaissance, executes files and commands, and stages payloads while offering file transfer controls such as queuing, pausing, resuming, canceling, and generating refresh tokens. The malware shares code similarities with FINALDRAFT (aka Squidoor), which employs the Microsoft Graph API for C2. Observed attack chains include a loader named WMLOADER that mimics Bitdefender's BDReinit.exe and decrypts shellcode to launch the backdoor. The malware is also preconfigured to contact a hard-coded non-routable IP over HTTP.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]