Harvester APT Group Unveils New GoGra Linux Backdoor Using Microsoft Graph API

Harvester APT Group Unveils New GoGra Linux Backdoor Using Microsoft Graph API

First seen 22 Apr 2026, 12:06 UTC BleepingcomputerSecurityThehackernewsSecurityaffairs.CoFeeds.Feedburner+4 87% similarity 75.5

Article Content

Browse articles
ThreatCluster

The Harvester APT group has launched a Linux variant of its GoGra backdoor, utilizing the Microsoft Graph API and Outlook mailboxes for covert command-and-control operations. This malware is designed to evade traditional defenses and has been linked to prior Windows-based espionage campaigns by the same group. Initial VirusTotal submissions indicate that the primary targets are located in India and Afghanistan, with localized decoy documents suggesting a tailored attack strategy. The malware masquerades as legitimate files, tricking users into executing malicious ELF binaries disguised as PDFs. It employs hardcoded Azure AD credentials to authenticate and poll a specific mailbox folder named 'Zomato Pizza' for commands. The malware's persistence mechanism involves setting up a systemd user unit and an XDG autostart entry, camouflaged as the Conky system monitor. Symantec researchers have noted that the Linux variant shares significant code similarities with its Windows counterpart, indicating a unified development effort. The current status shows that while no victims have been confirmed yet, the potential for targeted attacks remains high.

Key Points: • Harvester APT group has developed a Linux version of the GoGra backdoor. • The malware uses Microsoft Graph API for command-and-control, targeting users in India and Afghanistan. • It employs social engineering tactics to disguise malicious ELF files as PDFs for initial access.

ThreatCluster AI

Timeline

2026-04-22
Harvester APT group announces new Linux GoGra backdoor.
2026-04-22
Symantec links Linux GoGra to previous Windows espionage campaigns.
2026-04-22
Initial VirusTotal submissions indicate targets in India and Afghanistan.

Community

Browse all →