{"id":679,"date":"2026-04-22T15:57:15","date_gmt":"2026-04-22T15:57:15","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=679"},"modified":"2026-04-22T15:57:15","modified_gmt":"2026-04-22T15:57:15","slug":"harvester-deploys-linux-gogra-backdoor-in-south-asia-using-microsoft-graph-api","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=679","title":{"rendered":"Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 22, 2026<\/span><\/span>Cyber Espionage \/ Malware<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The threat actor known as Harvester <\/b>has been attributed to a new Linux version of its GoGra<\/strong> backdoor deployed as part of attacks likely targeting entities in South Asia.<\/p>\n

\u00abThe malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses,\u00bb the Symantec and Carbon Black Threat Hunter Team said<\/a> in a report shared with The Hacker News.<\/p>\n

The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2.<\/p>\n

Subsequent activity flagged in August 2024 connected the hacking group to an attack targeting an unnamed media organization in South Asia with a never-before-seen Go-based backdoor called GoGra. The latest findings suggest that the adversary is continuing to expand its toolset beyond Windows and infecting Linux machines with a new variant of the same backdoor.<\/p>\n

The attacks employ social engineering to trick victims into opening ELF binaries disguised as PDF documents. The dropper then proceeds to display a lure document while stealthily running the backdoor.<\/p>\n

Like its Windows counterpart, the Linux version of GoGra abuses Microsoft’s cloud infrastructure to contact a specific Outlook mailbox folder named \u00abZomato Pizza\u00bb every two seconds using Open Data Protocol (OData) queries. The backdoor scans the inbox for incoming email messages with a subject line starting with the word \u00abInput.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Once an email matching the criteria is received, it decrypts the Base64-encoded message body and executes it as shell commands using \u00ab\/bin\/bash.\u00bb The results of the execution are sent back to the operator in an email message with the subject line \u00abOutput.\u00bb After the exfiltration step is complete, the implant wipes the original tasking message to cover up the tracks.<\/p>\n

\u00abDespite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged,\u00bb Symantec and Carbon Black said, adding the teams \u00abalso identified several matching, hard-coded spelling errors across both platforms, which points towards the same developer being behind both tools.\u00bb<\/p>\n

\u00abThe use of a new Linux backdoor shows that Harvester is continuing to expand its toolset and actively develop new tooling in order to go after a wider range of victims and machines.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 22, 2026Cyber Espionage \/ Malware The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks…<\/p>\n","protected":false},"author":1,"featured_media":680,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[14,594,179,297,1360,1361,1359,181,147,483],"class_list":["post-679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-api","tag-asia","tag-backdoor","tag-deploys","tag-gogra","tag-graph","tag-harvester","tag-linux","tag-microsoft","tag-south"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=679"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/680"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}