Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
July 6, 2026
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Parrot OS 7.3 Released With Security Updates, Optimized Packages
July 6, 2026
Home/Threats/GoGra Linux Backdoor Hides C2 in Outlook Mailboxes
Threats

GoGra Linux Backdoor Hides C2 in Outlook Mailboxes

Key Takeaways The Harvester APT group, a nation-state-linked threat actor, has developed a new Linux variant of its GoGra backdoor. This sophisticated malware uses legitimate Microsoft Outlook...

Sarah simpson
Sarah simpson
April 23, 2026 3 Min Read
42 0

Key Takeaways

  • The Harvester APT group, a nation-state-linked threat actor, has developed a new Linux variant of its GoGra backdoor.
  • This sophisticated malware uses legitimate Microsoft Outlook mailboxes and the Microsoft Graph API for covert command-and-control (C2) communications, making detection difficult.
  • The campaign primarily targets entities in South Asia, including India and Afghanistan, focusing on espionage.
  • Initial access is gained through social engineering, with victims opening malicious Linux ELF binaries disguised as legitimate documents.

Nation-State APT Harvester Unveils New Linux GoGra Backdoor Hiding C2 in Outlook

A sophisticated nation-state-sponsored hacking collective known as Harvester is actively deploying a novel Linux version of its GoGra backdoor, employing a highly evasive technique that leverages legitimate Microsoft Outlook mailboxes for command-and-control (C2) operations. This approach significantly complicates detection by conventional security measures.

Table Of Content

  • Key Takeaways
  • Nation-State APT Harvester Unveils New Linux GoGra Backdoor Hiding C2 in Outlook
  • Targeting and Initial Access
  • How the Backdoor Abuses Microsoft Infrastructure
  • What You Should Do

The Harvester APT, believed to be state-backed and operational since at least 2021, has expanded its toolkit with this new Linux variant. The updated malware weaponizes the standard Microsoft Graph API and authentic Outlook mailboxes to establish a clandestine C2 channel. By routing its communications through trusted Microsoft cloud infrastructure, the backdoor effectively circumvents traditional perimeter network defenses, which are typically unprepared to flag seemingly legitimate email traffic as malicious.

Analysts at Symantec and Carbon Black were instrumental in identifying this new Linux malware, confirming it as an evolution of Harvester’s existing Windows espionage campaigns. Researchers noted significant code overlap between the new Linux version and its Windows predecessor, underscoring the group’s concerted effort to broaden its cross-platform attack capabilities. This development signals Harvester’s ongoing evolution and commitment to expanding its operational scope across a wider array of operating systems and devices.

Targeting and Initial Access

The current campaign appears to be geared toward espionage rather than financial motives. Initial submissions of the malware samples to VirusTotal originated from India and Afghanistan, indicating a continued focus on organizations and individuals within South Asia. The attackers further employed localized decoy documents, featuring cultural names and services relevant to the region, highlighting a deliberate and highly tailored targeting strategy consistent with Harvester’s historical espionage activities in South Asia.

Harvester gains initial access through social engineering tactics. Victims are lured into opening malicious Linux ELF binaries disguised as innocuous documents, such as “TheExternalAffairesMinister. pdf” and “Details Format. pdf.” Upon execution, the infection process commences silently in the background, with the malware establishing persistence mechanisms to ensure its survival across system reboots.

How the Backdoor Abuses Microsoft Infrastructure

The most technically innovative aspect of this backdoor lies in its transformation of legitimate Microsoft cloud services into a surreptitious communication pathway. Following the initial compromise, a Go dropper deploys an approximately 5.9 MB i386 executable payload to the path “~/.config/systemd/user/userservice.” To maintain persistence across system restarts, the malware configures a systemd user unit and an XDG autostart entry, masquerading as the legitimate “Conky” Linux system monitor.

The embedded payload contains hardcoded Azure AD application credentials, including a tenant ID, client ID, and client secret, stored in plain text. These credentials enable the malware to directly request OAuth2 tokens from Microsoft, initiating communications through a genuine Outlook mailbox folder named “Zomato Pizza.” The backdoor then polls this folder for new instructions every two seconds.

When an attacker issues a command, the malware retrieves incoming emails with subjects beginning with “Input.” It then decrypts the AES-CBC encrypted, base64-encoded message body and executes the command on the compromised host using /bin/bash. The results are encrypted with the same AES key and transmitted back to the attacker via an email reply with the subject “Output.” After sending the results, the implant performs an HTTP DELETE request to erase the original command email, thereby minimizing traces of the exchange.

What You Should Do

  • Audit Linux Systems: Regularly inspect autostart entries and systemd user units on Linux systems for any unexpected or unknown services, particularly those mimicking legitimate tools like Conky.
  • Monitor OAuth2 and Graph API Activity: Security teams should diligently monitor OAuth2 token requests and Microsoft Graph API activity originating from endpoints that do not typically utilize these services.
  • Restrict Azure AD Credentials: Block or restrict Azure AD application credentials that are not recognized or authorized by your organization to mitigate the risk of this type of abuse.
  • Threat Hunt for Malicious Binaries: Actively search for ELF binaries with fake appended extensions in user directories, as well as any suspicious files written to “~/.config/systemd/user/” paths by non-standard processes.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Vercel Confirms Security Breach, Customer Accounts Compromised

Next Post

Fake TradingView AI Agent Site Spreads Needle Stealer Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us