Brief #134: Google Drive Backdoor, AI Beats Human Pen Testers, Worst Job Market in 15 Years

Happy Sunday!

In this week's brief:

NANOREMOTE backdoor is using Google Drive API for command and control, blending malicious traffic with legitimate cloud services in a way that's pretty clever
Stanford researchers proved their AI agent outperformed 9 out of 10 human penetration testers in live enterprise testing, which should make us all think about where this industry is heading
The cybersecurity job market has hit its worst point in 15 years, with seasoned professionals reporting they can't even get interviews despite strong credentials

A quick note before we dive in.

Is Security Blocking Your Business?

Need a security leader on your team but don't need a full-time hire? Let's talk.

Book a Free Discovery Call

Industry News

Elastic Security Labs identified a fully-featured Windows backdoor called NANOREMOTE that shares code similarities with FINALDRAFT and REF7707 malware, likely developed by the same espionage threat actor for reconnaissance and data theft operations.
The malware leverages the Google Drive API for command and control communications, enabling file transfers and payload staging through legitimate cloud services that blend with normal network traffic and evade traditional detection methods.
NANOREMOTE features 22 command handlers providing comprehensive capabilities including system enumeration, command execution, custom PE loading using libPeConv library, and task management for file operations with pause/resume functionality.

BlackForce is a new phishing kit first observed in August 2025 with five distinct versions that enables Man-in-the-Browser attacks to steal credentials and bypass MFA through real-time operator interaction.
The kit has been used to impersonate over 11 brands including Disney, Netflix, DHL, and UPS, and is actively sold on Telegram forums for €200–€300 with sophisticated evasion techniques including ISP and security vendor blocklists.
BlackForce evolved from a stateless to stateful architecture across versions, implementing persistent session storage and dual-channel communication that separates phishing servers from Telegram data exfiltration to ensure resilience.

MITRE analyzed 39,080 CVE Records from June 2024 to June 2025, identifying the most critical software weaknesses that enable threat actors to compromise systems and steal data.
Cross-Site Scripting (XSS) retains the top spot while Missing Authorization, NULL Pointer Dereference, and Missing Authentication showed the biggest upward movement in rankings.
Six new entries joined the list including Classic Buffer Overflow, Stack-based Buffer Overflow, Heap-based Buffer Overflow, and Improper Access Control, highlighting evolving threat landscapes.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in