A new GoGra Linux backdoor uses Microsoft Graph API and an Outlook inbox to deliver payloads, making it stealthy and hard to detect, according to Broadcom Symantec. The GoGra Linux variant is linked to the Harvester cyberespionage group, which is believed to be a nation-state actor, and it uses the legitimate Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional perimeter protections.
Initial evidence suggests the campaign targeted South Asia, with early samples submitted from India and Afghanistan and decoy documents indicating a tailored approach. The GoGra backdoor abuses Microsoft cloud services by using hardcoded Azure AD credentials to obtain OAuth2 tokens and by polling a specific Outlook mailbox folder via Microsoft Graph API for commands, which are decrypted and executed on the host.
It uses the mailbox names and a two-second interval for polling, and after processing, the malware deletes the messages to erase traces. The Linux and Windows versions share a nearly identical codebase, implying cross-platform development by the Harvester group.