NANOREMOTE Windows backdoor with Google Drive API C2
Malware Activity
Summary
Hide ▲
Show ▼
NANOREMOTE is a newly disclosed Windows backdoor that uses the Google Drive API for command-and-control, giving operators a difficult-to-detect channel for data theft and payload staging. The malware can perform reconnaissance, run commands, and transfer files, increasing the risk to infected endpoints. Its delivery chain also includes WMLOADER, which decrypts shellcode and launches the backdoor.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions
Malware Activity
H score15
First: 26.06.2026 19:21
Last: 26.06.2026 19:21
Sources 1
About this happening:
The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...
TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions
Malware ActivityAbout this happening: The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
AsyncRAT multi-stage delivery via trusted tools
Malware Activity
H score22
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
AsyncRAT multi-stage delivery via trusted tools
Malware ActivityAbout this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
SPECTRALVIPER DLL sideloading backdoor activity
Malware Activity
H score31
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
SPECTRALVIPER DLL sideloading backdoor activity
Malware ActivityAbout this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
Timeline
-
11.12.2025 15:16 1 articles · 7mo ago
wmsetup.log links NANOREMOTE to FINALDRAFT
Attribution UpdateA wmsetup.log artifact uploaded from the Philippines on October 3, 2025 can be decrypted by WMLOADER with the same 16-byte key (558bec83ec40535657833d7440001c00) used by NANOREMOTE, revealing a FINALDRAFT implant and strengthening the case that NANOREMOTE and FINALDRAFT share a codebase and development environment.
Show sources
- NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems — thehackernews.com — 11.12.2025 15:16
-
11.12.2025 15:16 2 articles · 7mo ago
NANOREMOTE disclosed as a Windows backdoor with Google Drive API C2
Initial DisclosureResearchers disclosed NANOREMOTE as a fully featured Windows backdoor written in C++ that uses the Google Drive API for command-and-control, ships data back and forth for data theft and payload staging, performs reconnaissance, executes files and commands, transfers files, and relies on WMLOADER to mimic Bitdefender's crash handling component BDReinit.exe before decrypting shellcode that launches the payload. The malware also uses HTTP requests to /api/client with User-Agent NanoRemote/1.0, Zlib-compressed JSON, AES-CBC with the 16-byte key 558bec83ec40535657833d7440001c00, and 22 command handlers for host information, file operations, Google Drive transfer control, cache clearing, and self-termination.
Show sources
- NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems — thehackernews.com — 11.12.2025 15:16
- NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems — thehackernews.com — 11.12.2025 15:16