惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Simon Willison's Weblog
Simon Willison's Weblog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
博客园 - 三生石上(FineUI控件)
爱范儿
爱范儿
S
SegmentFault 最新的问题
人人都是产品经理
人人都是产品经理
T
Tailwind CSS Blog
Hugging Face - Blog
Hugging Face - Blog
宝玉的分享
宝玉的分享
Apple Machine Learning Research
Apple Machine Learning Research
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
The Last Watchdog
The Last Watchdog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cisco Talos Blog
Cisco Talos Blog
有赞技术团队
有赞技术团队
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
雷峰网
雷峰网
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
IT之家
IT之家
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
A
Arctic Wolf
J
Java Code Geeks
AWS News Blog
AWS News Blog
NISL@THU
NISL@THU
博客园 - 叶小钗
L
LINUX DO - 热门话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Last Week in AI
Last Week in AI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Cloudbric
Cloudbric
Forbes - Security
Forbes - Security
博客园 - 【当耐特】
博客园_首页
L
Lohrmann on Cybersecurity
T
Threatpost
Schneier on Security
Schneier on Security
博客园 - 司徒正美
The Cloudflare Blog
腾讯CDC

SECURITY.COM

Spirals: New Stealthy Ransomware Deployed Against Asian IT Company Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden Espionage Campaign Targeted Stock Exchange Executive for Five Months Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign New Malware Targets Users of Cobra DocGuard Software Reynolds: Defense Evasion Capability Embedded in Ransomware Payload PureRAT: Attacker Now Using AI to Build Toolset Chrome Extensions: Are you getting more than you bargained for? Osiris: New Ransomware, Experienced Attackers? Ransomware: Tactical Evolution Fuels Extortion Epidemic Arms Race: AI's Impact on Cybersecurity Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company North Korean Lazarus Group Now Working With Medusa Ransomware
Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
About the Author · 2026-04-22 · via SECURITY.COM

The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses.

The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities.

While we did not observe victims in this campaign, initial VirusTotal submissions originated from India and Afghanistan, which indicates that these regions were the primary targets of this espionage activity. Also, the use of localized decoy documents highlights a tailored approach that may be aimed at a specific regional demographic. Historically, Harvester has targeted victims in South Asia.

Harvester is believed to be a nation-state-backed group that has been active since at least 2021. It is known to use both custom malware and publicly available tools in its attacks. One of its tools is a custom backdoor called Graphon, which has similarities with GoGra and also uses Microsoft infrastructure for its C2 activity.

Attack chain

The attackers use social engineering lures to gain initial access to victim networks by deploying tailored decoy documents. The attackers actively masquerade malicious ELF files as standard document files by appending extensions like “. pdf”, with a subtle space between the filename and the extension to ensure that the file still executes as a Linux binary. Depending on the specific campaign, the dropper displays either a PDF or an OpenDocument Text (ODT) file disguised as a PDF. One decoy document masqueraded as material from "Zomato Pizza". Zomato is a popular Indian food delivery service. Another was named umrah.pdf, referencing the Islamic pilgrimage to Mecca.  Other examples of deceptive filenames used in lure documents included “TheExternalAffairesMinister. pdf” and “Details Format. pdf”.

A Go dropper is then used to embed and deploy a roughly 5.9 MB i386 executable. The malware writes its internal payload to ~/.config/systemd/user/userservice and ensures execution upon system reboot by setting up a systemd user unit and an XDG autostart entry. This autostart entry actively masquerades as the legitimate "Conky" Linux system monitor.

Abuse of Microsoft Graph API for C2

One of the most notable features of this new backdoor is its abuse of legitimate Microsoft cloud infrastructure. The inner i386 implant comes equipped with hardcoded, plaintext Azure AD application credentials, including a tenant ID, client ID, and client secret. These credentials allow the malware to request OAuth2 tokens from Microsoft.

It uses OData queries to poll a specific mailbox folder, named “Zomato Pizza”, at two-second intervals. OData (Open Data Protocol) query is the syntax used to filter, sort, and shape data when interacting with the Microsoft Graph API. Interestingly, the Windows version of the malware used a mailbox named “Dragan Dash”. Dragan Dash Kitchen is a food delivery restaurant located in in the Indian city of Hyderabad.

The backdoor filters for incoming email messages with a subject line starting with the word ‘Input’. Upon receiving an email, it decrypts the base64-wrapped message body using AES-CBC encryption, and executes the payload on the host via /bin/bash -c.

Execution results are AES-encrypted and emailed back to the operator via a reply message using the subject line ‘Output’. Following exfiltration, the implant issues an HTTP DELETE command to wipe the original tasking message and remove evidence of its presence.

Cross-platform capabilities: Linux vs Windows variants

Analysis by our team has confirmed that this new Linux threat and a previously analyzed Windows variant of GoGra share a nearly identical underlying codebase, pointing towards a multi-platform development strategy by the Harvester threat actors.

Despite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged. Analysts also identified several matching, hardcoded spelling errors across both platforms, which points towards the same developer being behind both tools.

  • Identical string typos: Cross-platform typos include strings such as json:"@odata.ontext", error occured in decryption :, and Commad Executed.
  • Identical function name typos: The function names ExcuteCommand and DeleteingMessage exhibit identical spelling errors across all builds.

Conclusion

The use of a new Linux backdoor shows that Harvester is continuing to expand its toolset and actively develop new tooling in order to go after a wider range of victims and machines.

While we did not see victims in this activity, it seems clear that the group continues to retain an interest in the South Asia region for espionage purposes. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82 – GoGra Linux Backdoor 

2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1 – GoGra Linux Backdoor

74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc – GoGra Linux Backdoor 

57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943 – TheExternalAffairesMinister.zip – ZIP file containing GoGra Linux Backdoor
d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123 – ZIP file containing GoGra Linux Backdoor