The Harvester APT group has created a new Linux version of its GoGra backdoor that uses the Microsoft Graph API and real Outlook mailboxes as a covert C2 channel. This malware completely bypasses traditional security defenses and is targeting government, telecom and IT organizations in South Asia.
Harvester is a nation-state-backed threat group that has been active since at least 2021 and uses both custom malware and publicly available tools in its attacks. The group previously targeted only Windows systems but has now expanded its target.
Symantec and the Carbon Black Threat Hunter Team have confirmed that Harvester has developed a completely new Linux version of its GoGra backdoor and the method they have adopted to conceal their malicious activity this time is unprecedented in the cybersecurity world.
Turned Outlook into a Command-and-Control (C2) Server
This malware uses legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, which allows it to completely bypass traditional perimeter network defenses that do not consider legitimate email traffic suspicious.
This means that security teams firewalls IDS systems and the domain reputation filters are rendered useless because all the malwares traffic passes through Microsofts own trusted infrastructure. No suspicious IP addresses and no unknown domains but just normal Outlook traffic that appears everywhere.
This was not Harvesters first experiment with Microsoft infrastructure. The group previously used another backdoor called Graphon, which also ran C2 activity from the Microsoft Graph API. GoGra is essentially an evolved and more dangerous version of that same playbook.
The first step of the infection was social engineering. Attackers disguised malicious ELF files as standard document files by inserting a subtle space before the extension so that the file could still execute as a Linux binary. Decoy documents had convincing names like “TheExternalAffairesMinister.pdf” and “Details Format.pdf”.
Some decoy files used names of popular Indian food delivery apps like Zomato while others had religiously sensitive names like Umrah.pdf all for deliberate regional targeting.
Once the file is executed the malware works silently in the background. A Go dropper deploys a roughly 5.9 MB i386 executable payload to the ~/.config/systemd/user/userservice path. For persistence the malware creates a systemd user unit and XDG autostart entry that disguises itself as the legitimate Conky Linux system monitor to survive even after a system reboot.
Spy Operation Running from Zomato Pizza Folder
The malware contains hardcoded Azure AD credentials Tenant ID, Client ID and Client Secretwhich allow it to obtain OAuth2 tokens from Microsoft servers. It then checks a specific Outlook mailbox folder named Zomato Pizza every 2 seconds via OData queries.
In the Windows version, this folder was named Dragan Dash which is the name of a food delivery restaurant in Hyderabad India.When an email arrives with a subject line beginning with Input the malware decrypts its Base64-encoded message body and executes it in /bin/bash. The results are sent back in an email with the subject line Output and then the original command email is deleted to leave no trace.
Symantec and Carbon Black researchers confirmed that both Linux and Windows versions contain identical hardcoded spelling errors such as ExecuteCommand and DeletingMessage and proving that both tools were created by the same developer.
Security teams should audit autostart entries and systemd user units on Linux systems and monitor OAuth2 token requests and Microsoft Graph API activity and immediately block unknown Azure AD application credentials.
