A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester advanced persistent threat (APT) group to conduct stealthy cyber espionage operations.

Harvester, a suspected nation-state-backed group active since at least 2021, is known for targeting South Asia with custom malware and espionage campaigns.

The discovery of a Linux version of GoGra highlights the group’s growing cross-platform capabilities, as earlier operations primarily focused on Windows systems.

Security researchers from Symantec and Carbon Black have identified this malware leveraging Microsoft Outlook mailboxes and the Microsoft Graph API as a covert command-and-control (C2) channel, allowing attackers to evade traditional network defenses.

Researchers linked the new variant to previous campaigns due to shared code structures and identical developer errors.

Although no confirmed victims were observed, initial malware samples uploaded to VirusTotal originated from India and Afghanistan, suggesting a regional focus. The attackers rely heavily on social engineering , distributing malicious files disguised as legitimate documents.

These files often include deceptive naming tricks, such as adding a space before a “.pdf” extension, causing the file to appear as a document while actually executing as a Linux ELF binary. Examples of lure filenames include:

Once executed, the dropper displays a decoy PDF or ODT file to avoid suspicion while silently installing the malware.

The Go-based dropper deploys a 5.9 MB payload on the system and establishes persistence by writing files to the user directory at ~/.config/systemd/user/userservice.

It creates a systemd service and an XDG autostart entry disguised as the legitimate “Conky” system monitor.

This ensures the malware automatically runs after system reboot without alerting the user.

One of the most advanced features of this malware is its abuse of Microsoft cloud infrastructure. The backdoor contains hardcoded Azure Active Directory credentials , enabling it to authenticate with Microsoft services and communicate through the Graph API.

Instead of using traditional C2 servers, the malware polls a specific Outlook mailbox folder named “Zomato Pizza” every two seconds using OData queries. It looks for incoming emails with subjects starting with “Input”.

Commands are hidden inside these emails, encrypted using AES-CBC and base64 encoding. After decrypting the message, the malware executes the command on the infected system using the Linux shell .

Execution results are encrypted and sent back via email with the subject “Output”. To remove evidence, the malware deletes the original command email after processing it.

Analysis shows that both Linux and Windows versions of GoGra share nearly identical codebases. Researchers identified the same hardcoded encryption key and even identical spelling mistakes in function names and strings, confirming a shared development origin.

While the Linux variant polls every two seconds, the Windows version uses longer intervals. Both, however, rely on Microsoft services to blend malicious traffic with legitimate activity.

The emergence of this Linux backdoor demonstrates Harvester’s ongoing efforts to expand its toolkit and target a broader range of systems.

By abusing trusted cloud services like Microsoft Outlook , the group significantly increases its ability to remain undetected.

This campaign reinforces a growing trend where attackers leverage legitimate platforms for stealthy communications, making detection and attribution more challenging for security teams.

Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .

Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.

GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…

The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…

A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…

North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global…

North Korea-linked hackers are using AI-assisted malware and backdoored coding challenges to quietly loot millions…