CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Linux GoGra backdoor leverages Microsoft Graph API for covert C2 via Outlook mailbox

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented Linux variant of the GoGra backdoor, attributed to the state-backed Harvester espionage group, has been identified using legitimate Microsoft Graph API and Outlook mailboxes for stealthy command-and-control (C2) communications. The malware is delivered via fraudulent ELF executables masquerading as PDF files, establishes persistence via systemd and XDG autostart under the guise of the Conky system monitor, and retrieves base64-encoded, AES-CBC encrypted commands from a specific Outlook folder named “Zomato Pizza” with subject lines prefixed “Input.” Execution results are similarly encrypted and returned to the operator via reply emails labeled “Output,” with original command emails deleted to reduce forensic traces. The campaign targets telecommunications, government, and IT organizations in South Asia, indicating an expansion of Harvester’s operational scope and toolset to include Linux systems.

Timeline

  1. 22.04.2026 13:00 1 articles · 2h ago

    Linux GoGra backdoor variant detected using Microsoft Graph API for C2 via Outlook mailbox

    A previously undocumented Linux variant of the GoGra backdoor was identified establishing C2 through Microsoft Graph API and Outlook mailboxes. The malware retrieves encrypted commands from a specific folder and email subject pattern, executes them on the host, encrypts results, and returns them via reply email while deleting the original command email to reduce forensic traces. Persistence is maintained via systemd and XDG autostart under a legitimate-looking disguise.

    Show sources
    Open in new tab

Information Snippets

  • Linux GoGra backdoor uses hardcoded Azure AD credentials to authenticate to Microsoft cloud services and obtain OAuth2 tokens for Microsoft Graph API access.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources

  • Malware dropper is a Go-based ELF binary that deploys an i386 payload and establishes persistence via systemd and XDG autostart using filenames mimicking the legitimate Conky system monitor.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources

  • C2 communications rely on polling a designated Outlook mailbox folder named “Zomato Pizza” every two seconds, parsing emails with subjects starting with “Input” containing base64-encoded and AES-CBC-encrypted payloads.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources

  • Execution results are AES-encrypted and returned via reply emails with the subject “Output,” after which the original command email is deleted via HTTP DELETE to minimize forensic visibility.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources

  • Linux variant shares nearly identical codebase with the Windows GoGra version, including identical typos in strings and function names and reuse of the same AES key, strongly suggesting development by the same actor.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources

  • Harvester threat group has been active since at least 2021 and is known to deploy custom backdoors and loaders in campaigns against telecommunications, government, and IT sectors in South Asia.

    First reported: 22.04.2026 13:00
    1 source, 1 article
    Show sources