Emerging ThreatsMalware & Ransomware

Harvester Expands Linux Arsenal with GoGra Backdoor in South Asia

Analyst 207||Source: TheHackerNews
Security analyst's workstation with multiple screens displaying code and threat analysis tools in a neutral office setting.

"The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter Team said.

Harvester's toolset: from Graphon to a Linux GoGra

Symantec and Carbon Black tied the activity to Harvester, a threat actor first publicly documented by Symantec in late 2021. That earlier reporting traced an implant called Graphon — a bespoke information-stealing tool that used the Microsoft Graph API for C2 — to an espionage campaign against telecommunications, government, and information technology sectors in South Asia that began in June 2021. In August 2024, the teams linked Harvester to a Go-based backdoor named GoGra used against an unnamed media organization in South Asia. The new finding reported to The Hacker News shows that Harvester has produced a Linux variant of the same GoGra backdoor, extending its tooling beyond Windows.

Microsoft Graph API and the Outlook mailbox named "Zomato Pizza"

The Linux GoGra maintains the same C2 logic as its Windows counterpart and continues to abuse Microsoft cloud infrastructure. According to the report shared with The Hacker News, the implant routinely queries a specific Outlook mailbox folder named "Zomato Pizza" every two seconds using Open Data Protocol (OData) queries. The backdoor scans for incoming email messages whose subject lines begin with the word "Input," decodes a Base64-encoded message body, and executes the contents as shell commands via "/bin/bash."

Execution results are returned to the operator in an email with the subject line "Output," and, after exfiltration, the implant deletes the original tasking message to erase evidence of the command-and-control exchange. The authors note that the technique—using legitimate cloud APIs and mailboxes as a covert channel—can allow malware to slip past conventional perimeter defenses.

Delivery method: ELF binaries masquerading as PDFs

The campaign uses social engineering to trick targets into opening ELF binaries that are disguised as PDF documents. Once executed, a dropper displays a lure document to the user while stealthily running the backdoor in the background. That delivery profile—an appealing visual lure paired with hidden execution—mirrors common espionage tradecraft and helps the implant remain covert on infected hosts.

Artifacts point toward India and Afghanistan

Symantec and Carbon Black reported identifying artifacts uploaded to VirusTotal from India and Afghanistan, which the teams said suggests those countries may be the targets of the espionage activity. The August 2024 incident that introduced the Go-based GoGra against a media organization was also described as targeting an entity in South Asia, reinforcing the geographic pattern the investigators observed.

What this means for technologists, affected enterprises, and policymakers

  • Technologists and security teams: Expect adversaries to continue abusing legitimate cloud APIs and mailbox infrastructure as C2 channels. Monitoring for high-frequency OData queries to mailbox folders and anomalous mailbox-folder names such as "Zomato Pizza," unusual patterns of messages with subject prefixes like "Input," or automated deletion of tasking messages may help detect this technique.
  • Affected enterprises and procurement leaders: The group’s move from Windows to Linux highlights that tooling can rapidly migrate across operating systems; asset inventories and endpoint controls should account for both ELF and portable executable formats when evaluating exposure to well-resourced espionage actors.
  • Policymakers and regulators: The use of mainstream cloud services as covert C2 underscores the dual-use risk of public APIs and the need for operational visibility into how those services are accessed from enterprise environments.

Symantec and Carbon Black further observed that, despite differences in deployment and operating system, the underlying C2 logic in the Windows and Linux implants remains unchanged and includes "several matching, hard-coded spelling errors across both platforms," which the teams said points to a single developer behind both tools. The continued development of GoGra for Linux—combined with reuse of the Microsoft Graph API and identical developer fingerprints—indicates Harvester is actively iterating its toolset to broaden the range of machines and victims it can reach.

Read the original report on The Hacker News: https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html

Command And ControlEmerging ThreatsEspionageLinuxNation-StateSouth AsiaAPTMicrosoft Graph APIGogra BackdoorHarvester
Related Intelligence

Continue Reading

A WordPress dashboard screen with a cracked laptop keyboard in the foreground, symbolizing site vulnerability.

Hackers Exploit Everest Forms Pro Flaw to Hijack WordPress Sites

More than 29,300 attempted hacks have been blocked by Wordfence, revealing a surge in automated attacks exploiting a critical flaw in the Everest Forms Pro plugin, tracked as CVE-2026-3300. This alarming number highlights the urgent need for WordPress site owners to safeguard against this vulnerability.

Analyst 207
Networked server equipment and cabling in a brightly-lit data center with a blurred background.

CISA Flags SolarWinds Serv-U Flaw as Actively Exploited

A critical flaw in SolarWinds Serv-U is being actively exploited, allowing attackers to crash the service with a specially crafted POST request - no authentication required. This denial-of-service vulnerability, tracked as CVE-2026-28318, can be triggered by a simple HTTP POST request with a malicious Content-Encoding header.

Analyst 207
Smart TV on a media console in a living room with subtle hints of a vast network connection in the background.

Free Apps Turn Smart TVs Into AI Web-Scraping Proxies

Free apps can secretly turn your smart TV into a powerful tool for web scraping, unknowingly contributing to a massive residential proxy network of over 400 million IPs. This startling reality raises questions about consumer data and the hidden use of their devices.

Analyst 207
GitHub repository page on laptop screen with error message and blurred software development workspace background.

Miasma Worm Targets Microsoft GitHub Repositories in Supply Chain Attack

GitHub has taken swift action, disabling access to 73 Microsoft repositories across four organizations after a sneaky supply chain attack by the Miasma Worm compromised code on the platform. The disruption was triggered when the malware targeted Microsoft's GitHub repositories, prompting site-wide warnings and restricted access.

Analyst 207