Harvester has been active since at least 2021.
Who Harvester is and why the new GoGra variant matters
Symantec researchers say the GoGra backdoor's Linux variant is the newest tool in the arsenal of Harvester, an espionage group described in the reporting as "believed to be state-baked." The group has been tracked since at least 2021 and, according to the same reporting, has targeted telecommunications, government, and IT organizations in South Asia. The emergence of a Linux-capable variant indicates the group's effort to broaden the range of systems it can compromise.
How GoGra uses Microsoft Graph API and Outlook for covert comms
Rather than building a bespoke command-and-control channel, the Linux GoGra backdoor leverages legitimate Microsoft infrastructure. Symantec found that the malware contains hardcoded Azure Active Directory (AD) credentials that it uses to obtain OAuth2 tokens and interact with Outlook mailboxes through the Microsoft Graph API. The backdoor polls a specific mailbox folder named "Zomato Pizza" and uses OData queries to locate incoming emails whose subject lines begin with "Input." Commands are embedded in those messages, and results are returned by reply emails with the subject "Output."
Technical mechanics: delivery, persistence, and operational hygiene
Symantec analyzed samples retrieved from VirusTotal and reported that initial access was gained by tricking victims into executing ELF binaries disguised as PDF files. A Go-based dropper deploys an i386 payload and establishes persistence using both a systemd unit and an XDG autostart entry that masquerades as the legitimate Conky system monitor for Linux and BSD.
Once running, the malware checks the designated mailbox folder every two seconds. It decrypts base64-encoded and AES-CBC-encrypted message bodies, executes the contained commands locally, encrypts execution results with AES, and returns those results via reply emails. To reduce forensic visibility, the backdoor issues an HTTP DELETE request to remove the original command email after processing it.
Linking Linux and Windows GoGra: forensic indicators
Symantec reports that the Linux variant shares a nearly identical codebase with an existing Windows version. The share includes the same typos in strings and function names and, crucially, the same AES key. Those similarities, the researchers say, strongly suggest both variants were created by the same developer and therefore point back to Harvester as the operator behind both builds.
What this means for telecommunications, government, and IT organizations in South Asia
- Telecommunications operators: the use of cloud mailbox infrastructure as a covert channel increases the difficulty of distinguishing legitimate traffic from malicious activity; organizations that host or manage mail infrastructure should review delegated application credentials and OAuth app registrations tied to Azure AD accounts.
- Government agencies: persistence mechanisms that masquerade as common system utilities (Conky) and the targeting of Outlook folders named "Zomato Pizza" are concrete indicators that defenders can add to hunt lists and endpoint detection rules.
- IT organizations (regional and enterprise): the delivery technique—ELF binaries impersonating PDFs—and the cadence of mailbox polling (every two seconds) are specific behaviors to monitor in endpoint telemetry and mail API audit logs.
The technical detail in Symantec's analysis shows a deliberate choice to ride on trusted cloud services for stealth, and the near-identical codebase between platform builds ties Linux and Windows intrusions to a single authorial source. That combination—cloud-based command transport plus cross-platform tooling—raises a pointed question the facts leave on the table: as advanced actors reuse and extend single codebases across operating systems, how will defenders adapt detection and credential governance to keep pace?
Source: BleepingComputer — New GoGra malware for Linux uses Microsoft Graph API for comms
