Hidden in the Cloud: Harvester’s New Linux Malware Abuses Microsoft Graph API for Invisible Espionage

The Harvester threat collective has re-emerged, wielding a sophisticated instrument designed to elude conventional defensive parameters. Security researchers have identified a nascent iteration of the GoGra backdoor for Linux, which surreptitiously camouflages its presence by masquerading as legitimate traffic through Microsoft’s ecosystem.

A joint investigation by Symantec and Carbon Black Threat Hunter has established a definitive lineage between this discovery and earlier espionage campaigns targeting Windows. The structural congruence within the source code is so pronounced that it precludes any doubt of a common origin. Active since at least 2021 and purportedly state-sponsored, the group is aggressively diversifying its arsenal, demonstrating a high degree of cross-platform proficiency.

Indications suggest that these incursions primarily target India and Afghanistan, as the initial malware specimens were uploaded to VirusTotal from these specific regions. This geographic focus is further evidenced by the localization of their decoys; the adversaries tailor document themes to resonate with regional sensibilities, including files titled “Zomato Pizza”—referencing a popular Indian delivery service—and “umrah.pdf,” pertaining to Islamic pilgrimage.

Initial ingress is achieved through meticulously crafted social engineering. The attackers disseminate files that masquerade as innocuous documents but are, in reality, executable payloads. A rudimentary yet effective obfuscation technique involves appending a “.pdf” extension preceded by a space; consequently, while the system identifies an executable ELF file, the user is deceived into perceiving a document. Upon execution, a Go-based dropper deploys a primary module of approximately 5.9 MB, establishing persistence via systemd and XDG autostart while impersonating the Conky system monitor.

The defining characteristic of this updated variant is its command-and-control (C2) channel, which leverages the Microsoft Graph API and Outlook mailboxes. The malware utilizes hardcoded Azure AD credentials to procure OAuth2 tokens, systematically polling specific email directories—such as “Zomato Pizza”—for instructions.

Directives are delivered via emails with subjects prefixed with “Input,” which are subsequently decrypted and executed through a bash shell. The results are then encrypted and exfiltrated in a reply titled “Output,” after which the original missive is purged to obliterate any forensic residue.

Comparative analysis reveals that the Linux and Windows iterations of GoGra share nearly identical logic. The presence of synonymous orthographic errors in the code and identical function nomenclature strongly suggests a singular developer. Discrepancies are limited to implementation details, such as architectural specifics, polling intervals, and directory names.

The emergence of a Linux-based variant underscores that Harvester is rapidly expanding its capabilities to encompass a broader spectrum of systems. Their focus on South Asia remains steadfast, while their methodologies continue to grow increasingly imperceptible to traditional security solutions.