Key Findings

• Harvester APT group deployed a new Linux variant of GoGra backdoor targeting South Asia, with samples linked to India and Afghanistan

• Malware abuses Microsoft Graph API and Outlook mailboxes as covert command-and-control infrastructure, bypassing traditional network defenses

• Linux and Windows versions share nearly identical code and identical developer mistakes, indicating same development team

• Attack chain uses social engineering to distribute ELF binaries disguised as PDF files that display decoy documents while executing backdoor

• Backdoor polls specific Outlook folder ("Zomato Pizza") every two seconds for commands and executes them via bash shell

• Results encrypted and exfiltrated back to operators via email, with original messages deleted to cover tracks

Background

Harvester first gained public attention in late 2021 when Symantec linked the group to an information-stealing campaign targeting telecommunications, government, and IT sectors across South Asia. The group had already demonstrated sophisticated capabilities by deploying Graphon, a custom backdoor that similarly leveraged Microsoft Graph API for command-and-control. In August 2024, researchers connected Harvester to attacks on a media organization using a new Go-based backdoor called GoGra. The group's consistent focus on South Asian targets and their steady development of new tools suggests they are a well-resourced, persistent threat actor likely operating with nation-state backing.

Cross-Platform Development Strategy

The discovery of a Linux GoGra variant reveals that Harvester is deliberately expanding beyond Windows environments. Researchers identified matching hard-coded spelling errors across both the Windows and Linux versions, a telltale sign that the same developer created both tools. The underlying command-and-control logic remains virtually identical between platforms, though implementation details differ. Both versions use the same AES encryption key and similar module structures, demonstrating a coordinated cross-platform development effort. This expansion suggests Harvester is adapting its toolkit to target a broader range of victims and infrastructure types.

Microsoft Graph API Abuse Mechanism

The malware's most distinctive feature is its abuse of legitimate Microsoft cloud services for stealth. GoGra obtains OAuth2 tokens using hardcoded Azure AD credentials, allowing it to authenticate to Microsoft's infrastructure without raising suspicion. The backdoor then uses Open Data Protocol queries to poll a specific Outlook mailbox folder at two-second intervals. The Windows version uses a folder named "Dragan Dash" (referencing a food delivery restaurant in Hyderabad), while the Linux variant uses "Zomato Pizza," another Indian food service reference. This approach allows the malware to hide command traffic within legitimate cloud service communications, effectively bypassing perimeter defenses that focus on external network threats.

Execution and Exfiltration Process

Once deployed, the Linux backdoor filters incoming emails for messages with subject lines beginning with "Input." Upon finding a matching message, it decrypts the Base64-encoded body using AES-CBC encryption and executes the payload directly via "/bin/bash -c." Command output is then encrypted and returned to operators in an email with the subject "Output." The malware deletes the original tasking message to erase evidence of the exchange. This email-based command channel is particularly effective because it mimics normal business communication patterns and operates within the legitimate Microsoft Graph API scope, making detection significantly more difficult than traditional network-based command-and-control channels.

Delivery Tactics

The attack chain relies on social engineering to gain initial access. Threat actors distribute ELF binaries disguised as PDF documents to trick users into opening them. Once executed, the dropper displays a legitimate-looking lure document while simultaneously running the GoGra backdoor in the background. This dual-action approach keeps the victim distracted with expected content while malicious code establishes persistence. The targeting appears tailored to specific regions based on the use of localized decoy documents and the submission of early samples from India and Afghanistan, indicating reconnaissance and preparation specific to these areas.

Implications and Future Outlook

The emergence of this Linux variant demonstrates that Harvester remains actively committed to expanding its operational capabilities. The group shows no signs of slowing development efforts and continues to target South Asian entities for espionage purposes. The use of Microsoft's legitimate infrastructure for command-and-control represents an evolution in evasion techniques, as it allows malware to operate within approved cloud service traffic. Organizations in South Asia, particularly those in telecommunications, government, media, and IT sectors, should assume they remain in Harvester's crosshairs and take appropriate defensive measures including enhanced monitoring of cloud API activity and user education around suspicious attachments.

Sources

• https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html

• https://securityaffairs.com/191153/uncategorized/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication.html

• https://x.com/TweetThreatNews/status/2047039009512120763

• https://x.com/TheCyberSecHub/status/2046978899742237113

• https://www.reddit.com/r/SecOpsDaily/comments/1ssprv1/harvester_deploys_linux_gogra_backdoor_in_south/