NANOREMOTE, cousin of FINALDRAFT

Dec. 21, 2025, 6:58 p.m.

Description

A newly discovered Windows backdoor called NANOREMOTE shares similarities with previously known malware FINALDRAFT. NANOREMOTE's key feature is using the Google Drive API for data exfiltration and payload staging, making detection challenging. The malware includes a task management system for file transfers and incorporates functionality from open-source projects. It communicates with a hardcoded IP address over HTTP, using encrypted and compressed JSON data. NANOREMOTE has 22 command handlers enabling various capabilities such as system reconnaissance, file operations, and command execution. The malware's similarity to FINALDRAFT suggests a shared codebase and development environment between the two threats.

External References

https://otx.alienvault.com/pulse/6939bd81fe359cfc48685131
https://www.elastic.co/security-labs/nanoremote
Tags
command execution
finaldraft
2025-12-10
custom pe loader
file exfiltration
google drive api
nanoremote
task management
windows backdoor
wmloader

Date

  • Created: Dec. 10, 2025, 6:35 p.m.
  • Published: Dec. 10, 2025, 6:35 p.m.
  • Modified: Dec. 21, 2025, 6:58 p.m.

Indicators

  • 35593a51ecc14e68181b2de8f82dde8c18f27f16fcebedbbdac78371ff4f8d41
  • 57e0e560801687a8691c704f79da0c1dbdd0f7d5cc671a6ce07ec0040205d728
  • 999648bd814ea5b1e97918366c6bd0f82b88f5675da1d4133257b9e6f4121475
  • b26927ca4342a19e9314cf05ee9d9a4bddf7b848def2db941dd281d692eaa73c
  • fff31726d253458f2c29233d37ee4caf43c5252f58df76c0dced71c4014d6902
Download all indicators here!

Attack Patterns

  • NANOREMOTE
  • FINALDRAFT
  • WMLOADER

Additional Informations

  • Philippines