- The cyber-espionage group Harvester has deployed a new Linux variant of its GoGra backdoor in attacks likely targeting South Asia.
- This malware abuses Microsoft’s legitimate Graph API and Outlook mailboxes as a covert command-and-control channel, bypassing traditional defenses.
- The attack chain begins with social engineering, tricking users into opening malicious ELF binaries disguised as PDF documents.
- Artifacts uploaded to VirusTotal from India and Afghanistan suggest these countries are the espionage campaign’s focus.
In a significant expansion of its cyber-espionage toolkit, the threat actor known as Harvester has been linked to a new Linux backdoor in April 2026, targeting entities in South Asia. The malware, called GoGra, leverages legitimate Microsoft cloud services for stealthy communication.
The cybersecurity company Symantec and Carbon Black detailed this activity in a report shared with The Hacker News. “The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses,” their Threat Hunter Team said.
Consequently, victims are initially compromised via social engineering, lured into opening ELF binaries disguised as harmless PDF files. The dropper then displays a decoy document while secretly executing the backdoor.
This Linux variant operates identically to its Windows predecessor by polling a specific Outlook mailbox folder named “Zomato Pizza.” Every two seconds, it scans for incoming emails with a subject line starting with “Input.”
Once a matching email is found, the backdoor decrypts its Base64-encoded body and executes the contents as shell commands. The results are then emailed back to the attacker with the subject “Output,” and the original tasking message is deleted to erase evidence.
The teams noted consistent developer fingerprints across both platforms, stating they “also identified several matching, hard-coded spelling errors across both platforms, which points towards the same developer being behind both tools.” Meanwhile, the identified VirusTotal artifacts suggest India and Afghanistan are likely targets of this ongoing espionage campaign.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
