NANOREMOTE, cousin of FINALDRAFT

Elastic Security Labs documents NANOREMOTE, a sophisticated 64-bit Windows backdoor delivered by a WMLOADER dropper; the implant implements 22 command handlers (discovery, command execution, custom PE loading in-memory and from disk) and abuses the Google Drive API for covert file staging and exfiltration. The report highlights code reuse with FINALDRAFT/REF7707, use of libPeConv and Microsoft Detours, includes YARA rules and file hashes, and provides detection guidance to defenders.