The Harvester APT group, believed to be a nation-state-backed threat actor active since at least 2021, has developed a new Linux version of its GoGra backdoor.
This updated malware leverages the legitimate Microsoft Graph API and real Outlook mailboxes as a covert command-and-control (C2) channel.
By communicating through trusted Microsoft cloud infrastructure, the backdoor can bypass traditional perimeter network defenses that are not built to flag legitimate email traffic as suspicious.
The campaign appears to be focused on espionage rather than financial gain. Initial VirusTotal submissions for the malware samples originated from India and Afghanistan, suggesting that organizations and individuals in South Asia remain the primary targets.
The attackers also used localized decoy documents that reference familiar cultural names and services in the region, which indicates a deliberate and tailored targeting strategy. Historically, Harvester has focused its espionage activities in South Asia, and this campaign is consistent with that pattern.
Symantec and Carbon Black analysts identified this new Linux malware as an expansion of a previously known Windows espionage campaign by Harvester.
The researchers noted strong code similarities between the new Linux variant and the older Windows version, confirming that the group is actively expanding its cross-platform attack capabilities.
This development shows that Harvester is not slowing down, but is instead evolving its toolset to target a broader range of operating systems and machines.
The threat actor gained initial access through social engineering lures. Victims were directed toward decoy documents with names like “TheExternalAffairesMinister. pdf” and “Details Format. pdf,” which appeared to be standard document files but were actually malicious Linux ELF binaries.
Once a user opened the file, the infection process began quietly in the background, with the malware setting up persistence mechanisms to survive system reboots.
The most technically significant aspect of this backdoor is how it turns legitimate Microsoft cloud services into a covert communication channel. After the initial infection, a Go dropper deploys a roughly 5.9 MB i386 executable payload to the path “~/.config/systemd/user/userservice.”
To survive reboots, the malware sets up a systemd user unit and an XDG autostart entry that disguises itself as the legitimate “Conky” Linux system monitor.
The inner payload carries hardcoded Azure AD application credentials in plain text, including a tenant ID, client ID, and client secret.
These credentials allow the malware to request OAuth2 tokens directly from Microsoft and begin communicating through a real Outlook mailbox folder named “Zomato Pizza,” polling for new instructions every two seconds.
When an attacker sends a command, the malware picks up incoming emails with subjects starting with “Input.” It then decrypts the AES-CBC encrypted, base64-wrapped message body and runs the command on the host using /bin/bash.
Results are encrypted with the same AES key and sent back to the attacker via an email reply with the subject “Output.” After sending the results, the implant wipes the original command email using an HTTP DELETE request, leaving almost no trace of the exchange.
Organizations running Linux systems should audit autostart entries and systemd user units for unexpected or unknown services, especially those mimicking legitimate tools like Conky.
Security teams are advised to monitor OAuth2 token requests and Microsoft Graph API activity from endpoints that do not normally use these services. Blocking or restricting Azure AD application credentials that are unknown to the organization can reduce the risk of this type of abuse.
Threat hunting teams should look for ELF binaries with appended fake extensions in user directories, as well as files written to “~/.config/systemd/user/” paths by non-standard processes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Outlook Mailboxes to Hide Linux GoGra Backdoor Communications appeared first on Cyber Security News.
Zapier has announced a raft of governance updates to strengthen compliance and security for IT…
At Qlik Connect 2026, several companies took the stage to share their transformation journeys, highlighting…
Infor has published the results of its Infor Enterprise AI Adoption Impact Index, new proprietary…
Godzilla is set to burst back on to theater screens in Godzilla Minus Zero in…
Darrell Sheets, one of the stars of the hit A&E reality series Storage Wars, has…
The upcoming series Spider-Noir reimagines some of Marvel Comics’ most popular heroes and villains as…
This website uses cookies.