Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API

Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Ravie LakshmananApr 22, 2026Cyber Espionage / Malware The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity. Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2. Subsequent activity flagged in August 2024 connected the hacking group to an attack targeting an unnamed media organization in South Asia with a never-before-seen Go-based backdoor called GoGra. The latest findings suggest that the adversary is continuing to expand its toolset beyond Windows and infecting Linux machines with a new variant of the same backdoor. The attacks employ social engineering to trick victims into opening ELF binaries disguised as PDF documents. The dropper then proceeds to display a lure document while stealthily running the backdoor. Like its Windows counterpart, the Linux version of GoGra abuses Microsoft's cloud infrastructure to contact a specific Outlook mailbox folder named "Zomato Pizza" every two seconds using Open Data Protocol (OData) queries. The backdoor scans the inbox for incoming email messages with a subject line starting with the word "Input." Once an email matching the criteria is received, it decrypts the Base64-encoded message body and executes it as shell commands using "/bin/bash." The results of the execution are sent back to the operator in an email message with the subject line "Output." After the exfiltration step is complete, the implant wipes the original tasking message to cover up the tracks. "Despite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged," Symantec and Carbon Black said, adding the teams "also identified several matching, hard-coded spelling errors across both platforms, which points towards the same developer being behind both tools." "The use of a new Linux backdoor shows that Harvester is continuing to expand its toolset and actively develop new tooling in order to go after a wider range of victims and machines." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, data exfiltration, linux, Malware, Microsoft, Outlook, social engineering, Threat Intelligence Trending News Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover The Hidden Security Risks of Shadow AI in Enterprises Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Your MTTD Looks Great. Your Post-Alert Gap Doesn't Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Load More ▼ Popular Resources Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat Discover Key AI Security Gaps CISOs Face in 2026 How to Identify Risky Browser Extensions in Your Organization