THE Harvester threat actor has been attributed a new Linux version of its GoGra backdoor deployed in attacks likely targeting entities in South Asia. According to The Symantec and Carbon Black Threat Hunter Team, the malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel, enabling it to bypass traditional perimeter network defenses.
The researchers identified artifacts uploaded to VirusTotal from India and Afghanistan, suggesting those two countries may be targets of the espionage activity.
The Linux variant continues the group’s pattern of social engineering to lure victims into opening ELF binaries disguised as PDFs, after which the dropper runs the backdoor and exfiltrates results via email with a subject line “Output.” Like the Windows version, the Linux GoGra backdoor leverages a specific Outlook mailbox folder named “Zomato Pizza” and queries it every two seconds using Open Data Protocol, decrypting Base64 payloads and executing them with /bin/bash.
The latest findings indicate Harvester is broadening its toolbox to infect Linux machines in addition to Windows, a trend that aligns with earlier 2024 and 2021 activity documented by Symantec.