A new multifunctional Windows trojan dubbed NANOREMOTE leverages a cloud-based file storage service as a covert command-and-control hub, complicating detection while providing attackers with a resilient channel for data exfiltration and the delivery of additional payloads.
The threat was disclosed by researchers at Elastic Security Labs, who linked the malware to the previously identified implant FINALDRAFT—also known as Squidoor—which relies on Microsoft Graph for operator communications. Both tools are attributed to the REF7707 cluster, referenced in reports under the aliases CL-STA-0049, Earth Alux, and Jewelbug, and associated with Chinese espionage campaigns targeting government entities, defense contractors, telecommunications providers, as well as educational and aviation organizations across Southeast Asia and South America.
According to Symantec, the group has conducted long-running, low-visibility operations since at least 2023, including a five-month intrusion into an IT company in Russia. The precise initial access vector for NANOREMOTE remains unclear. In observed attack chains, however, a loader known as WMLOADER is employed, masquerading as Bitdefender’s crash-handling component “BDReinit.exe.” This module decrypts shellcode and launches the primary payload—the trojan itself.
Written in C++, NANOREMOTE is capable of harvesting system information, executing commands and files, and shuttling data between infected hosts and operator infrastructure via Google Drive. In parallel, it communicates over HTTP with a hard-coded, non-routable IP address, through which it receives tasks and returns results. Communications use POST requests carrying JSON payloads that are compressed with Zlib and encrypted using AES-CBC with a 16-byte key. All requests share a common endpoint, “/api/client,” and identify themselves with the client string “NanoRemote/1.0.”
The trojan’s core functionality is implemented through a set of 22 command handlers. These enable host reconnaissance, file and directory management, cache cleanup, execution of resident PE binaries, self-termination, and bidirectional file transfers to the cloud, complete with queuing, pausing, resuming, and cancellation capabilities.
Elastic Security Labs also identified an artifact named “wmsetup.log,” uploaded to VirusTotal from the Philippines on October 3, 2025, which could be decrypted by WMLOADER using the same encryption key. The file contained the FINALDRAFT implant, reinforcing evidence of shared development. According to lead researcher Daniel Stepanik, the common loader and identical traffic protection scheme point to a unified codebase and build pipeline underpinning both FINALDRAFT and NANOREMOTE, designed to support multiple interchangeable payloads.
