23.04.2026
2 min
217
Cybersecurity researchers have discovered a new Linux version of the GoGra backdoor that uses legitimate Microsoft infrastructure to covertly control infected systems. The malware uses the Microsoft Graph API and Outlook mailboxes as a communication channel, making it much more difficult to detect.
Cybersecurity has identified a new variation of the GoGra backdoor for Linux. A distinguishing characteristic of the new backdoor is the fact that it utilizes legitimate Microsoft infrastructure (namely Outlook e-mail accounts) as a conduit for sending command requests from attackers and receiving responses from compromised systems.
The GoGra malware is associated with the Harvester Group, which is considered to be state-sponsored and has conducted various types of cyberespionage activities against organizations across the South Asia region since 2021. Organizations targeted in previous attacks have included telecommunications providers, government agencies and information technology organizations. In addition to other tools, such as backdoors and bootloaders, the Harvester Group also utilizes its own custom-built toolset for its operations.
Researchers at Symantec recently examined a newly discovered sample of the GoGra malware, which had appeared on VirusTotal. Their research showed that an attacker gains initial access to a system through social engineering tactics. An end-user is tricked into running an ELF executable disguised as a normal PDF document.
Upon executing the ELF file, a dropper utilizing the Go framework is installed on the target system. The dropper installs an i386 version of the malicious payload. To ensure persistence on the target system, the GoGra malware utilizes both systemd and the XDG autorun mechanism to deploy. To conceal itself from detection by security solutions, the malware is designed to disguise itself as the legitimate Conky System Monitor.
The most interesting part of how this attack occurs involves utilization of Microsoft’s Graph API. After authenticating to Microsoft’s cloud-based services using hardcoded Azure Active Directory credentials, the malware obtains OAuth2 tokens. Once possession of these tokens are acquired, the malware begins interacting with an Outlook mailbox as a communication channel.
In terms of functionality, this component of the attack is relatively straightforward yet very successful:
Every two seconds, an Outlook folder labeled “Zomato Pizza” will be queried for emails.
For each email found with a subject line containing “Input”, the body of the email will be extracted and decrypted using base64 and AES-CBC.
Each received command will then be executed natively on the system without modification or obfuscation.
Following command execution, the malware will generate a response to each command. Each generated response will then be encrypted using AES, and sent back to the attacker as an email with the subject “Output”.
As part of measures to make detection as difficult as possible, once the malware completes processing of each command set, it will delete all emails that contained commands. This deletion will occur using an HTTP DELETE request. As a result, post-incident forensic analysis of activity logs may be complicated due to deletion of potential evidence.
Additionally, researchers at Symantec were able to identify technical differences. The Linux version appears nearly identical to the Windows version of the malware. Technical aspects such as error messages in specific lines of code and naming conventions for functions appear identical. Moreover, both variants use the exact same AES encryption key. These similarities indicate that there was likely a single developer working on both versions of malware; therefore, they can be definitively linked together to the Harvester Group.
According to Symantec, the existence of a Linux version represents an extension of the Harvester Group’s capabilities. Although Harvester primarily focused on Windows-based platforms initially, their ability to develop and distribute malware targeting multiple operating systems increases the overall risk associated with their campaigns.
