Find notable cyber news and cases, enriched with sources, timelines, and signals.

NANOREMOTE Windows backdoor with Google Drive API C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

NANOREMOTE is a newly disclosed Windows backdoor that uses the Google Drive API for command-and-control, giving operators a difficult-to-detect channel for data theft and payload staging. The malware can perform reconnaissance, run commands, and transfer files, increasing the risk to infected endpoints. Its delivery chain also includes WMLOADER, which decrypts shellcode and launches the backdoor.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions

Malware Activity
H score15 First: 26.06.2026 19:21 Last: 26.06.2026 19:21 Sources 1

About this happening: The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...

TinyRCT backdoor with persistence, exfiltration, and self-deletion

Malware Activity
H score22 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...

AsyncRAT multi-stage delivery via trusted tools

Malware Activity
H score22 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
H score31 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...

Timeline

  1. 11.12.2025 15:16 1 articles · 7mo ago

    wmsetup.log links NANOREMOTE to FINALDRAFT

    Attribution Update

    A wmsetup.log artifact uploaded from the Philippines on October 3, 2025 can be decrypted by WMLOADER with the same 16-byte key (558bec83ec40535657833d7440001c00) used by NANOREMOTE, revealing a FINALDRAFT implant and strengthening the case that NANOREMOTE and FINALDRAFT share a codebase and development environment.

    Show sources
  2. 11.12.2025 15:16 2 articles · 7mo ago

    NANOREMOTE disclosed as a Windows backdoor with Google Drive API C2

    Initial Disclosure

    Researchers disclosed NANOREMOTE as a fully featured Windows backdoor written in C++ that uses the Google Drive API for command-and-control, ships data back and forth for data theft and payload staging, performs reconnaissance, executes files and commands, transfers files, and relies on WMLOADER to mimic Bitdefender's crash handling component BDReinit.exe before decrypting shellcode that launches the payload. The malware also uses HTTP requests to /api/client with User-Agent NanoRemote/1.0, Zlib-compressed JSON, AES-CBC with the 16-byte key 558bec83ec40535657833d7440001c00, and 22 command handlers for host information, file operations, Google Drive transfer control, cache clearing, and self-termination.

    Show sources