Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 12 December 2025 16:54
A new multifunctional Windows Trojan called NANOREMOTE uses a cloud file storage service as its command center , making the threat harder to detect and giving attackers a persistent channel to steal data and deliver additional downloads.
The threat was reported by Elastic Security Labs, which compared the malware to the already known FINALDRAFT implant, also known as Squidoor , which relies on Microsoft Graph to communicate with operators.
Both tools are associated with the REF7707 cluster, reported as CL-STA-0049, Earth Alux and Jewelbug , and attributed to Chinese espionage activities against government agencies, defense contractors, telecommunications companies, educational institutions and aviation organizations in Southeast Asia and South America.
According to Symantec, this group has been conducting long-term covert campaigns since at least 2023, including a five-month infiltration of an IT company in Russia . The exact method of NANOREMOTE’s initial infiltration has not yet been determined. The documented attack chain uses the WMLOADER downloader, disguised as the crash management component of the Bitdefender antivirus program, ” BDReinit.exe .” This module decrypts the shellcode and launches the main payload: the Trojan itself.
NANOREMOTE is written in C++ and can collect system information, execute commands and files, and transfer data between the infected device and the operator’s infrastructure via Google Drive. It is also configured to communicate via HTTP with a hardcoded, non-routable IP address, through which it receives tasks and sends results. Exchanges are made via POST requests with JSON data, compressed using Zlib and encrypted in AES-CBC mode with a 16-byte key. Requests use a single path, “/api/client,” and the client identifier string, “NanoRemote/1.0.”
The Trojan’s main functions are implemented through a set of 22 command handlers. These handlers allow it to collect and transmit host information, manage files and directories, clear the cache, launch PE executable files already present on the disk, terminate its operation, and upload and download files to the cloud, with the ability to queue, pause, resume, or cancel transfers.
Elastic Security Labs also discovered the ” wmsetup.log” artifact, uploaded to VirusTotal from the Philippines on October 3, 2025, and successfully decrypted by the WMLOADER module using the same encryption key.
It contained a FINALDRAFT implant, indicating joint development. According to lead researcher Daniel Stepanic, the identical loader and unified approach to traffic protection are further indications of a unified codebase and build process for FINALDRAFT and NANOREMOTE, designed to handle different payloads.
Redazione