Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NANOREMOTE Windows backdoor with Google Drive API C2

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

NANOREMOTE is a newly disclosed Windows backdoor that uses the Google Drive API for command-and-control, giving operators a difficult-to-detect channel for data theft and payload staging. The malware can perform reconnaissance, run commands, and transfer files, increasing the risk to infected endpoints. Its delivery chain also includes WMLOADER, which decrypts shellcode and launches the backdoor.

Related Happenings

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Open Happening

AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling

Malware Activity
First: 24.01.2026 17:23 Last: 24.01.2026 17:23 Sources 1

About this happening: The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...

Open Happening

Timeline

  1. 11.12.2025 15:16 1 articles · 5mo ago

    wmsetup.log links NANOREMOTE to FINALDRAFT

    Attribution Update

    A wmsetup.log artifact uploaded from the Philippines on October 3, 2025 can be decrypted by WMLOADER with the same 16-byte key (558bec83ec40535657833d7440001c00) used by NANOREMOTE, revealing a FINALDRAFT implant and strengthening the case that NANOREMOTE and FINALDRAFT share a codebase and development environment.

    Show sources
    Open in new tab
  2. 11.12.2025 15:16 2 articles · 5mo ago

    NANOREMOTE disclosed as a Windows backdoor with Google Drive API C2

    Initial Disclosure

    Researchers disclosed NANOREMOTE as a fully featured Windows backdoor written in C++ that uses the Google Drive API for command-and-control, ships data back and forth for data theft and payload staging, performs reconnaissance, executes files and commands, transfers files, and relies on WMLOADER to mimic Bitdefender's crash handling component BDReinit.exe before decrypting shellcode that launches the payload. The malware also uses HTTP requests to /api/client with User-Agent NanoRemote/1.0, Zlib-compressed JSON, AES-CBC with the 16-byte key 558bec83ec40535657833d7440001c00, and 22 command handlers for host information, file operations, Google Drive transfer control, cache clearing, and self-termination.

    Show sources
    Open in new tab