A new campaign attributed to the Harvester advanced persistent threat (APT) group is delivering a GoGra Linux backdoor that hides its command‑and‑control (C2) traffic inside Microsoft Graph API and Outlook mailboxes. By tunnelling operations through trusted Microsoft 365 services, the attackers significantly complicate network‑perimeter detection and traditional blocking strategies.
Background: Harvester APT and South Asia–Focused Cyber‑Espionage
Harvester has been tracked by security vendors since at least 2021, when researchers linked the group to cyber‑espionage operations against telecommunications, government, and IT organizations in South Asia. Earlier campaigns relied on a bespoke implant known as Graphon, which already leveraged Microsoft Graph API for C2 communications.
In mid‑2024, analysts observed Harvester compromising a South Asia media conglomerate using a Windows‑based backdoor written in Go, dubbed GoGra. Recent findings now show that the operators have ported GoGra to Linux, expanding their reach to servers and high‑value infrastructure and increasing the resilience of their toolset across mixed environments.
Linux GoGra samples uploaded to public malware‑scanning services originated from India and Afghanistan, reinforcing the assessment that South Asia remains a primary target. However, the techniques and tooling used are geographically agnostic and can be directed against organizations in any region.
GoGra Linux Backdoor: PDF Disguise and Covert Execution
The initial access vector for the GoGra Linux backdoor relies heavily on social engineering. Victims receive ELF executables masquerading as PDF documents, complete with plausible filenames, icons, and accompanying text to persuade users to launch them manually.
When executed, the file acts as a dropper. It opens a decoy document to maintain the appearance of normal activity, while silently installing and starting the GoGra Linux backdoor in the background. This dual‑action approach makes the event look like a standard PDF open, reducing user suspicion and the likelihood of incident reporting.
Microsoft Graph and Outlook C2: “Zomato Pizza” Folder and Email‑Driven Commands
The most notable feature of GoGra is its abuse of Microsoft Graph API and Outlook as a C2 channel. The Linux variant mirrors the Windows version in how it communicates with the attackers’ infrastructure.
The backdoor authenticates to a specific Outlook mailbox and, every two seconds, queries an unusual folder named “Zomato Pizza” using Open Data Protocol (OData) requests via Microsoft Graph API. All malicious traffic is wrapped in legitimate‑looking cloud requests.
1. Task retrieval. GoGra scans messages in the target folder and selects emails whose subject lines begin with the prefix “Input”. This prefix acts as the operator’s command marker.
2. Command execution. The email body contains the payload as a Base64‑encoded string. GoGra decodes the content and executes it as shell commands via /bin/bash, giving operators broad control: file collection, system reconnaissance, credential harvesting, or lateral movement.
3. Results exfiltration. Command output is captured and sent back as a reply email with the subject “Output”. From a defender’s perspective, this appears as ordinary mailbox activity in Microsoft 365.
4. Evidence cleanup. After processing each task, GoGra deletes the original “Input” message, reducing artifacts available for forensic analysis and complicating post‑incident reconstruction.
Researchers note that the C2 logic for Windows and Linux GoGra is nearly identical, and both codebases share the same distinctive spelling errors, indicating a common developer or tightly coordinated development team.
Why Microsoft Graph–Based C2 Is Hard to Detect
Abusing major cloud providers’ infrastructure for C2—sometimes described as “living off the cloud”—has become increasingly common among advanced threat actors. By embedding malware traffic into Microsoft 365 and Graph API calls, Harvester gains several advantages.
Traffic camouflage. Outbound connections to *.microsoft.com are typically considered trusted and are widely used by legitimate applications. Security teams are reluctant to apply strict blocking policies due to business impact, which allows malicious traffic to blend in.
Perimeter bypass. Firewalls and web proxies usually permit Microsoft 365 traffic with minimal inspection, and end‑to‑end TLS encryption makes deep packet inspection challenging or resource‑intensive.
C2 resilience. Blacklisting Microsoft cloud IP addresses or domains would disrupt core services such as email, collaboration tools, and identity management. Attackers exploit this dependency to maintain highly available, low‑profile C2 channels.
Industry reports from Microsoft, Mandiant, and other vendors have consistently highlighted a multi‑year trend toward cloud‑hosted C2, dead‑drop email, and API abuse in targeted attacks. Harvester’s GoGra campaign fits squarely into this pattern.
Defending Linux and Microsoft 365 Environments Against GoGra
Mitigating the risk of the GoGra Linux backdoor and similar threats requires a combination of user awareness, cloud telemetry monitoring, and endpoint security.
1. Harden email and user security. Train users to be cautious with attachments, especially files that claim to be documents but are actually ELF binaries. On secure email gateways, consider blocking or quarantining executable attachments from external senders and enforcing content‑type validation.
2. Monitor Microsoft 365 and Graph API usage. Collect and correlate logs from Microsoft Graph, Exchange Online, and Azure AD. Red flags include service accounts or unusual users querying the same mailbox or folder every few seconds, unexpected folder names (such as “Zomato Pizza”), and anomalous API usage patterns.
3. Strengthen Linux endpoint protection. Deploy EDR/XDR solutions with Linux support, and monitor execution of ELF files from user directories or temporary paths. Restrict /bin/bash usage for service accounts and implement file integrity monitoring to detect unauthorized binaries and configuration changes.
4. Conduct proactive threat hunting. Regularly hunt for unknown ELF binaries, abnormal bash activity, and suspicious email automation. Organizations operating in or doing business with South Asia should explicitly incorporate Harvester’s TTPs into their threat‑hunting playbooks.
The emergence of the GoGra Linux backdoor confirms that Harvester is actively evolving its toolkit to span both Windows workstations and Linux servers, while hiding behind trusted Microsoft Graph and Outlook C2 channels. Organizations that still treat cloud services as inherently safe blind spots are increasingly exposed. Revisiting cloud trust assumptions, tightening Microsoft 365 monitoring, and elevating Linux security controls are critical steps to detecting such backdoors before they enable data theft or long‑term espionage.
