Targeted Sectors

General Windows users; potential for targeted cyber espionage as described in source context.

Countries

Global

BLUF

A new Windows-based malware, NANOREMOTE, evades traditional security by using the legitimate Google Drive API for hidden C2 communications, allowing remote control and potential data exfiltration.

Date of First Reported Activity

·         December 11, 2025

o   Latest reporting date, campaign start date may be slightly earlier

Date of Last Reported Activity Update

·         December 11, 2025

Suspected APT Names

·         REF7707

o   Is also tracked under the aliases:

§  CL-STA-0049

§  Earth Alux

§  Jewelbug

Associated Criminal Organization Names

·         Unspecified

Technical Details

IOCs:

Specific API keys and configuration details within the malware (not published in snippets).

Network traffic patterns interacting with legitimate Google Drive endpoints in unusual ways

Network Indicators

Traditional malicious IPs and domains are generally absent because the malware leverages legitimate cloud infrastructure for its C2 operations. The primary network IOCs are behavioral or related to the legitimate Google API endpoints:

·         Communication Endpoints: The malware connects to legitimate Google API URLs for authentication and data transfer. These connections themselves are not inherently malicious but become indicators when correlated with other suspicious activity or when using specific, compromised account credentials.

API Usage Parameters: The malware uses specific variable names and API calls for OAUTH token retrieval and file management, such as:

·         gdue (Google Drive URL for updating files)

·         gdo2t (Google Drive URL to get the OAUTH access_token)

·         client_id and client_secret (hardcoded into the malware binary for the threat actor's specific Google account)

·         HTTP POST requests to the OAUTH endpoint using specific fields like grant_type and refresh_token.

Data File Name Structure: The malware uploads and monitors a specific text file used for receiving commands. The file name format is often <process ID of Trojan>.txt.

Host-Based Indicators

·         Persistence Mechanisms: The malware often establishes persistence via DLL hijacking or running as a DLL through regsvr32, though specific registry keys can vary by campaign.

·         File Paths: A common installation path observed in related campaigns is a hidden directory within AppData\\Roaming\\ or AppData\\Local\\

Tools Used in Campaign

·         NANOREMOTE malware

TTPs

Command and Control (TA0011)

·         T1102.002 - Web Service: Bidirectional Communication

Defense Evasion (TA0005)

·         T1078 - Valid Accounts

·         T1027 - Obfuscated Files or Information

·         T1059.001 - Command and Scripting Interpreter: PowerShell

·         T1036.004 - Masquerading: Renamed System Utilities

·         T1070.001 - Indicator Removal on Host: Clear Windows Event Logs

Execution (TA0002)

·         T1204.002 - User Execution: Malicious File

Persistence (TA0003)

·         T1053.005 - Scheduled Task/Job: Scheduled Task

Collection (TA0009) & Exfiltration (TA0010)

·         T1005 - Data from Local System

·         T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Malware Names

·         NANOREMOTE

Malware Samples

sha256

2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee

CVEs and CVSS Vectors:

·         No CVEs associated; this is a new malware/TTP, not an exploit of a specific software vulnerability.

CVSS v3.1

Not Applicable

Nessus ID

Not Applicable

Suggested rules/ potential hunts

These are indicator rules  they are likely to be noisy

Suggested Suricata rules

Rules might look for unusual API call sequences or large data transfers via Google Drive desktop clients from non-standard processes.

Detect unusually frequent POST requests to Google Drive API endpoints (behavioral hunting rule, adjust frequency as needed)

alert http any any -> any any (msg:"NANOREMOTE Malware possible Google Drive API C2 activity (High POST rate)"; flow:established; http.method; content:"POST"; http.uri; content:"/upload/drive/v3/files/"; classtype:malware-activity; threshold: type limit, track by_src, count 50, seconds 120; sid:1000001;)

Detect specific, known C2 IP (if known and static, otherwise use general behavioral rules)

alert ip any any -> [hardcoded IP from threat intel, e.g., 18.222.166.74] any (msg:"NANOREMOTE Known Hardcoded C2 IP Communication"; flow:established; classtype:trojan-activity; sid:1000002;)

Suggested SentinelOne rules

Behavioral detection of non-standard use of cloud service APIs would be key.

·         Process Injection/Masquerading: A process like svchost.exe or BDReinit.exe initiating unusual network connections or modifying system files.

·         Unusual File Transfers: Large data uploads/downloads to/from Google Drive via non-browser processes.

·         Registry Modifications: Creation of persistence-related keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or similar locations.

·         Suspicious API Calls: The use of specific Windows APIs (like Microsoft Detours, libPeConv functions) for malicious activity.

Threat Hunting Queries

Use SentinelOne's Deep Visibility for hunts:

Search for processes making connections to drive.google.com or www.googleapis.com that are not standard browsers (chrome.exe, firefox.exe, etc.).

Hunt for file modifications or creations within %APPDATA% or %TEMP% directories with suspicious names or extensions.

Suggested Splunk hunts

index=windows source=*google* AND *drive* AND (process=*nanoremote* OR *unusual_process_name*)

Monitor network outbound connections to Google Drive infrastructure from processes that typically shouldn't be making those connections.

Find high volume connections to Google APIs not from standard web browsers

index=network source=suricata sourcetype=eve_json dest_ip=[Google IP range] http.method="POST"

| stats count by src_ip, dest_ip, http.uri, user_agent

| where count > 50

Endpoint Log Analysis: Correlate EDR/Sysmon logs to find the malware's initial execution and persistence mechanisms.

Search for suspicious process creation and persistence attempts

index=endpoint (process_name="BDReinit.exe" OR process_name="mscorsvc.dll")

| where registry_path="*Run*" OR registry_path="*RunOnce*"

| table _time, host, process_name, registry_path, command_line, user

Use code with caution.

DNS Monitoring: Monitor DNS requests for drive.google.com and www.googleapis.com to identify unexpected source hosts.

Alert on non-standard hosts resolving Google Drive domains frequently

index=dns query="drive.google.com" OR query="www.googleapis.com"

| stats count by src_ip, query_type

| where count > 20

Use code with caution.

Delivery Method

·         Unknown but potentially:

o   Spear-phishing

o   Trojanized downloads

o   Leveraging initial access from other campaigns (like the React2Shell one).

Email Samples

Unknown at this time.

References

The Hacker News

·         hxxps://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html

Reddit

·         hxxps://www.reddit.com/r/pwnhub/comments/1pk2oft/nanoremote_malware_leverages_google_drive_api_for

Elastic

·         hxxps://www.elastic.co/security-labs/nanoremote

MITRE ATT&CK

·         hxxps://attack.mitre.org/techniques/T1567/

VirusTotal

·         hxxps://www.virustotal.com/gui/file/2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee