NANOREMOTE: The Invisible Malware That Uses Google Drive to Spy on You

For decades, the rule in IT security has been simple: “Block traffic to suspicious sites from Russia or China.” But what do you do when the attack comes from a source you use every day at work? In 2026, the NANOREMOTE threat changed the rules of the game.

At Altanet Craiova we have noticed an increase in these sophisticated attacks that use legitimate infrastructure (Google, Microsoft, Dropbox) to go unnoticed by the firewall. It's like the thief leaving the bank wearing a police uniform.

How does NANOREMOTE work?

Most viruses try to communicate with the hacker's server ("Command & Control") to receive commands. Good antiviruses detect this connection and cut it off.

NANOREMOTE is different. It doesn't connect to a shady server, but to a Google Drive, OneDrive, or Dropbox account created by hackers. Since your company allows employees to use these services, the traffic looks perfectly legitimate.

• Step 1: Infects the computer (via email or download).
• Step 2: Check a text file from a public Google Drive account to receive commands (e.g. "Steal passwords from Chrome").
• Step 3: Upload the stolen data to the same Google Drive account, in the form of encrypted files.

To your firewall, everything looks like an employee doing their job and saving documents in the cloud.

Why is it so dangerous for business?

Being a RAT (Remote Access Trojan), NANOREMOTE offers total control over the infected computer. The hacker can:

• To see everything you type (Keylogging).
• To take screenshots.
• Activate the webcam and microphone.
• Use your computer to attack other customers.

How do we protect ourselves if we can't block Google?

You can't block access to Google Drive in a modern company, but you can change the way you look at security:

• HTTPS Inspection (SSL Inspection): The firewall must "unpack" encrypted data packets to see what is really inside them.
• Behavioral Monitoring (EDR): A classic antivirus looks for signatures. An EDR (Endpoint Detection and Response) looks at behavior: "Why is Notepad trying to connect to the internet?".
• Frequency Analysis: A human doesn't upload files at fixed intervals of exactly 30 seconds. An automated script does.

This technique of using legitimate services is called "Living off the Land." To understand the technical concept, you can refer to the definition in Proofpoint's Living off the Land Tactics Reference.

Conclusion

Security is no longer just about high walls (firewalls), but also about smart surveillance cameras (behavioral monitoring). If your computer is behaving strangely, even when accessing secure sites, ask for help.

Do you want to know if your network is hiding such invisible threats? We offer state-of-the-art EDR solutions and 24/7 monitoring IT services. Visit our contact page and scan your systems before it's too late.

This material is part of Altanet's educational series on digital security. Want to know what other risks you are exposed to this year? See Complete list of cyber threats in 2026.