惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
人人都是产品经理
人人都是产品经理
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
N
News and Events Feed by Topic
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
V
V2EX
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
小众软件
小众软件
A
Arctic Wolf
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
G
GRAHAM CLULEY
罗磊的独立博客
T
Tor Project blog
C
Cisco Blogs
美团技术团队
博客园 - Franky
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
有赞技术团队
有赞技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Security Latest
Security Latest
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
Spread Privacy
Spread Privacy
J
Java Code Geeks
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
阮一峰的网络日志
阮一峰的网络日志
雷峰网
雷峰网
Project Zero
Project Zero

SECURITY.COM

Spirals: New Stealthy Ransomware Deployed Against Asian IT Company Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor The Detection Gap: MITRE ATT&CK T1140 and T1105 Humble Brag: Symantec® Data Center Security Achieves Common Criteria Certification GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses Tips to Harden Your Air Gapped Environments The Visibility Challenge Nobody Asked For AV-TEST Gives Symantec® Endpoint Security Complete a Perfect Score The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security 🎙️SECURITY.COM The Podcast: The Parasite in the Machine: Unmasking the Speagle Infostealer Your DLP Incident Backlog Owes You Closure Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker 5 Reasons Symantec® CBX Delivers Total Endpoint Visibility 8 XDR Questions From the Show Floor Another Year, Another Win: SE Labs® Recognizes Symantec® Endpoint Security Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden Locking Down the Server 🎙️SECURITY.COM The Podcast: The Death of SIEM Threats Rise on a Tide of Global Unrest When Nation-States Stop Caring About Size Espionage Campaign Targeted Stock Exchange Executive for Five Months Data Security Is Having A Moment 5 Ways XDR Helps SOCs Act Faster 🎙️SECURITY.COM The Podcast: The Evolution of Cybersecurity PR with W2 Communications The Maximalism Trap: When More Becomes Too Much Symantec DLP Cloud and DPSM are the Power Couple Security Strategists Need Symantec DLP Cloud and DSPM are the Power Couple Security Strategists Need The Future of the Partnership: AI, Automation, and Ecosystems Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations 🎙️SECURITY.COM The Podcast: Iran’s Cyber Warfare Playbook: What Defenders Need to Know Right Now 5 Ways To Keep AI in Check Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign Doing More with Less: How Government Agencies are Rethinking Cybersecurity Navigating Compliance and Insurance as a Competitive Edge Is SIEM Trying to Do Too Much? Every Defender Deserves Frontier AI The New Partner-Vendor Relationship DLP Made Easier on the Teams Running It The EU Digital Wallet: Why Waiting is Not an Option Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft Stopping Data Leaks at the Speed of AI How AI Increases the Load on Security Teams Web Traffic Visibility is the New Non-Negotiable The Agentic AI Tsunami is Here: Is Your Legacy IAM Sinking or Swimming? Technical Enablement vs. Marketing Noise Enterprise-Grade Security for All in 2026 Architecting for Margin Beyond the Initial Sale 🎙️SECURITY.COM The Podcast: A Brief History of Data Loss Prevention Symantec CBX Through the Paparazzi Lens The U.S. Navy’s Playbook for Cost-Controlled, Reliable Cybersecurity The Modern Threat Landscape and The Partner’s New Burden Symantec CBX Rocked RSAC 2026 Conference For Financial Services, a Wake-Up Call for Reclaiming IAM Control The Next Identity Shift Cyber Legends: Behind the Scenes of CBX Built for This Moment (and All Those to Come)
Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
About the Author · 2026-04-22 · via SECURITY.COM

The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses.

The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities.

While we did not observe victims in this campaign, initial VirusTotal submissions originated from India and Afghanistan, which indicates that these regions were the primary targets of this espionage activity. Also, the use of localized decoy documents highlights a tailored approach that may be aimed at a specific regional demographic. Historically, Harvester has targeted victims in South Asia.

Harvester is believed to be a nation-state-backed group that has been active since at least 2021. It is known to use both custom malware and publicly available tools in its attacks. One of its tools is a custom backdoor called Graphon, which has similarities with GoGra and also uses Microsoft infrastructure for its C2 activity.

Attack chain

The attackers use social engineering lures to gain initial access to victim networks by deploying tailored decoy documents. The attackers actively masquerade malicious ELF files as standard document files by appending extensions like “. pdf”, with a subtle space between the filename and the extension to ensure that the file still executes as a Linux binary. Depending on the specific campaign, the dropper displays either a PDF or an OpenDocument Text (ODT) file disguised as a PDF. One decoy document masqueraded as material from "Zomato Pizza". Zomato is a popular Indian food delivery service. Another was named umrah.pdf, referencing the Islamic pilgrimage to Mecca.  Other examples of deceptive filenames used in lure documents included “TheExternalAffairesMinister. pdf” and “Details Format. pdf”.

A Go dropper is then used to embed and deploy a roughly 5.9 MB i386 executable. The malware writes its internal payload to ~/.config/systemd/user/userservice and ensures execution upon system reboot by setting up a systemd user unit and an XDG autostart entry. This autostart entry actively masquerades as the legitimate "Conky" Linux system monitor.

Abuse of Microsoft Graph API for C2

One of the most notable features of this new backdoor is its abuse of legitimate Microsoft cloud infrastructure. The inner i386 implant comes equipped with hardcoded, plaintext Azure AD application credentials, including a tenant ID, client ID, and client secret. These credentials allow the malware to request OAuth2 tokens from Microsoft.

It uses OData queries to poll a specific mailbox folder, named “Zomato Pizza”, at two-second intervals. OData (Open Data Protocol) query is the syntax used to filter, sort, and shape data when interacting with the Microsoft Graph API. Interestingly, the Windows version of the malware used a mailbox named “Dragan Dash”. Dragan Dash Kitchen is a food delivery restaurant located in in the Indian city of Hyderabad.

The backdoor filters for incoming email messages with a subject line starting with the word ‘Input’. Upon receiving an email, it decrypts the base64-wrapped message body using AES-CBC encryption, and executes the payload on the host via /bin/bash -c.

Execution results are AES-encrypted and emailed back to the operator via a reply message using the subject line ‘Output’. Following exfiltration, the implant issues an HTTP DELETE command to wipe the original tasking message and remove evidence of its presence.

Cross-platform capabilities: Linux vs Windows variants

Analysis by our team has confirmed that this new Linux threat and a previously analyzed Windows variant of GoGra share a nearly identical underlying codebase, pointing towards a multi-platform development strategy by the Harvester threat actors.

Despite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged. Analysts also identified several matching, hardcoded spelling errors across both platforms, which points towards the same developer being behind both tools.

  • Identical string typos: Cross-platform typos include strings such as json:"@odata.ontext", error occured in decryption :, and Commad Executed.
  • Identical function name typos: The function names ExcuteCommand and DeleteingMessage exhibit identical spelling errors across all builds.

Conclusion

The use of a new Linux backdoor shows that Harvester is continuing to expand its toolset and actively develop new tooling in order to go after a wider range of victims and machines.

While we did not see victims in this activity, it seems clear that the group continues to retain an interest in the South Asia region for espionage purposes. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82 – GoGra Linux Backdoor 

2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1 – GoGra Linux Backdoor

74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc – GoGra Linux Backdoor 

57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943 – TheExternalAffairesMinister.zip – ZIP file containing GoGra Linux Backdoor
d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123 – ZIP file containing GoGra Linux Backdoor