Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The GoGra malware family now includes a Linux backdoor variant that uses Microsoft Graph API and an Outlook inbox for covert command delivery, making operator communications harder to detect. The sample also shows encrypted command handling, local execution, and email-based return of results on Linux systems. The activity matters because it extends Harvester’s tooling into another platform while leaning on legitimate Microsoft services for stealth.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2

Malware Activity
First: 23.04.2026 15:06 Last: 23.04.2026 15:06 Sources 1

About this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...

Open Happening

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

Open Happening

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

Timeline

  1. 22.04.2026 13:00 2 articles · 1mo ago

    Linux GoGra backdoor uses Microsoft Graph API

    Technical Analysis Update

    A Linux variant of the GoGra backdoor uses hardcoded Azure Active Directory credentials to obtain OAuth2 tokens, then accesses Outlook mailboxes through Microsoft Graph API for covert command delivery. The sample uses ELF binaries disguised as PDF files, establishes persistence with systemd and an XDG autostart entry posing as Conky, polls the “Zomato Pizza” folder for messages with “Input.” subjects, decrypts base64-encoded AES-CBC commands, returns results in “Output.” replies, and deletes the original command email after processing.

    Show sources
    Open in new tab