New GoGra malware for Linux uses Microsoft Graph API for comms

New GoGra malware for Linux uses Microsoft Graph API for comms By Bill Toulas April 22, 2026 06:00 AM 0 A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. The malware is developed by Harvester, an espionage group believed to be state-baked, and is considered highly evasive due to its use of Microsoft Graph API to access mailbox data. Harvester has been active since at least 2021 and is known to use custom malicious tools, such as backdoors and loaders in campaigns targeting telecommunications, government, and IT organizations in South Asia. Symantec researchers analyzed samples of the new Linux GoGra backdoor retrieved from VirusTotal and found that initial access is obtained by tricking victims into executing ELF binaries disguised as PDF files. Abusing Microsoft Graph API In a report today, Symantec researchers say that the Linux version of the GoGra backdoor uses hardcoded Azure Active Directory (AD) credentials to authenticate to Microsoft’s cloud and obtain OAuth2 tokens. This allows it to interact with Outlook mailboxes via the Microsoft Graph API. In the initial stage of the attack, a Go-based malware dropper deploys an i386 payload, establishing persistence via 'systemd' and an XDG autostart entry posing as the legitimate Conky system monitor for Linux and BSD. According to the researchers, the malware checks every two seconds an Outlook mailbox folder named “Zomato Pizza.” It uses OData queries to identify incoming emails with subject lines beginning with “Input.” The malware decrypts the base64-encoded and AES-CBC-encrypted contents of these messages and executes the resulting commands locally. Execution results are then AES-encrypted and returned to the operator via reply emails with the subject “Output.” To reduce forensic visibility, the malware issues an HTTP DELETE request to remove the original command email after processing it. Symantec highlights that the Linux variant of GoGra shares a nearly identical codebase with the Windows version of the malware, including the same typos in strings and function names, as well as the same AES key. This strongly suggests that both pieces of malware were created by the same developer, pointing to the Harvester threat group. Symantec sees the emergence of a Linux GoGra variant as an indication that Harvester is expanding its toolset and targeting scope to tap into a broader range of systems. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: NGate Android malware uses HandyPay NFC app to steal card data The Gentlemen ransomware now uses SystemBC for bot-powered attacks ZionSiphon malware designed to sabotage water treatment systems Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face New AgingFly malware used in attacks on Ukraine govt, hospitals