NANOREMOTE, cousin of FINALDRAFT
Essential information
- Published
- 10/12/2025 18:35
- Modified
- 21/12/2025 18:58
- Tags
- 2025-12-10 command execution custom pe loader file exfiltration finaldraft google drive api nanoremote task management windows backdoor wmloader
- Related entities
- 5 observables, 5 techniques (mitre), 3 malware, 1 others
Description
A newly discovered Windows backdoor called NANOREMOTE shares similarities with previously known malware FINALDRAFT. NANOREMOTE's key feature is using the Google Drive API for data exfiltration and payload staging, making detection challenging. The malware includes a task management system for file transfers and incorporates functionality from open-source projects. It communicates with a hardcoded IP address over HTTP, using encrypted and compressed JSON data. NANOREMOTE has 22 command handlers enabling various capabilities such as system reconnaissance, file operations, and command execution. The malware's similarity to FINALDRAFT suggests a shared codebase and development environment between the two threats.