Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API

EXECUTIVE SUMMARY:

The Harvester APT group has developed a new Linux version of its GoGra backdoor, which uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional perimeter network defenses. This new malware is linked to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating the threat actor's expansion of cross-platform capabilities.[emaillocker id="1283"]

The malware uses social engineering lures to gain initial access to victim networks by deploying tailored decoy documents. The attackers actively masquerade malicious ELF files as standard document files by appending extensions like “. pdf”, with a subtle space between the filename and the extension to ensure that the file still executes as a Linux binary. This approach highlights a tailored approach that may be aimed at a specific regional demographic. The use of localized decoy documents suggests that the Harvester group is targeting specific regions, with initial VirusTotal submissions originating from India and Afghanistan.

Harvester is believed to be a nation-state-backed group that has been active for some time, using both custom malware and publicly available tools in its attacks. The group's use of Microsoft infrastructure for its command-and-control activity is a notable aspect of its operations. The Harvester group's expansion of its cross-platform capabilities and use of tailored approaches to target specific regions makes it a significant threat in the cybersecurity landscape.

THREAT PROFILE:

MBC MAPPING:

REFERENCES:

The following reports contain further technical details:

https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html

https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra