Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API
المجموعة الهجومية Harvester كاتطوّر الترسانة ديالها بنسخة Linux من backdoor "GoGra"
Harvester Threat Actor Expands Arsenal with Linux Variant of GoGra Backdoor
TL;DR
The threat actor known as Harvester has evolved its toolset to include a Linux-based version of its "GoGra" backdoor. Targeting entities in South Asia—specifically India and Afghanistan—the malware leverages the legitimate Microsoft Graph API and Outlook mailboxes for command-and-control (C2) communication, allowing it to hide malicious traffic within common cloud services.
Introduction
The cybersecurity landscape in South Asia is facing a renewed threat as the espionage group Harvester expands its reach. Traditionally known for targeting Windows environments, recent findings from the Symantec and Carbon Black Threat Hunter Team reveal that the group has developed and deployed a Linux version of its custom GoGra backdoor.
By utilizing legitimate web services for its command-and-control infrastructure, Harvester continues to demonstrate a sophisticated ability to bypass perimeter defenses and maintain a long-term presence on victim networks.
Targeted Espionage in South Asia
Based on artifacts uploaded to the VirusTotal platform, researchers believe the primary targets of this recent activity are located in India and Afghanistan.
Harvester is not a new player in the region. Since June 2021, the group has been documented targeting:
- Telecommunications
- Government sectors
- Information Technology (IT)
- Media organizations
While a Windows-based Go-language backdoor was linked to an attack on a South Asian media organization in August 2024, this latest iteration confirms the group is now actively pursuing Linux machines to widen its scope of victims.
Infection Vector: Social Engineering
The delivery mechanism for the Linux backdoor relies on classic social engineering. Victims are tricked into executing ELF binaries that are disguised as PDF documents.
To maintain the illusion of legitimacy, the malware dropper displays a "lure" document to the user. While the victim views the document, the GoGra backdoor is stealthily installed and executed in the background.
C2 Mechanism: Abusing Microsoft Graph API
One of Harvester’s most effective tactics is the use of "living-off-the-cloud" techniques. Like its predecessor (the "Graphon" implant) and the Windows version of GoGra, the Linux variant uses the Microsoft Graph API to turn Outlook mailboxes into a covert C2 channel.
The technical workflow of the backdoor includes:
- Polling: The malware contacts a specific Outlook mailbox folder (uniquely named "Zomato Pizza") every two seconds.
- OData Queries: It uses Open Data Protocol (OData) queries to scan for incoming emails with the subject line "Input."
- Command Execution: Upon finding a matching email, the backdoor decrypts the Base64-encoded message body and executes the contents as shell commands via
/bin/bash. - Exfiltration: The results of the command execution are packaged into a new email and sent back to the attacker with the subject line "Output."
- Anti-Forensics: Once the task is complete, the implant deletes the original "Input" message to erase evidence of the command.
Cross-Platform Consistency
The research highlights a significant overlap between the Windows and Linux versions of GoGra. Despite the differences in operating systems, the underlying C2 logic remains identical.
Interestingly, the Symantec and Carbon Black team identified several matching, hard-coded spelling errors in the code of both versions. This footprint strongly suggests that the same developer or team is responsible for the entire GoGra toolkit.
Conclusion
The emergence of a Linux-based GoGra backdoor signals a strategic pivot for Harvester. By diversifying its malware to target both major operating systems and utilizing legitimate Microsoft infrastructure for C2, the group remains a persistent threat to organizations across South Asia. This evolution underscores the importance of monitoring legitimate cloud API traffic for anomalous patterns, as threat actors increasingly favor "covert-in-plain-sight" communication methods.
Source
Title: Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API
URL: https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html
