The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant of its GoGra backdoor, one that cleverly hides its command-and-control (C2) traffic within Microsoft Outlook mailboxes, making it significantly harder to detect with traditional network defenses.
Researchers from Symantec and Carbon Black Threat Hunter Team discovered the malware.
They linked it to a previously known Windows-based Harvester campaign, confirming the group’s growing cross-platform capabilities.
The attack begins with social engineering. Victims are lured using deceptive documents disguised with filenames like “TheExternalAffairesMinister. pdf” and “Zomato Pizza”, a reference to the popular Indian food delivery platform.
A Go-based dropper then deploys a roughly 5.9 MB i386 executable, writing its payload to ~/.config/systemd/user/userservice.
The malware ensures persistence by creating a systemd user unit and an XDG autostart entry, masquerading as the legitimate Conky Linux system monitor.
Outlook Mailboxes Abused
What makes GoGra particularly dangerous is its abuse of Microsoft’s own infrastructure.
The implant contains hardcoded Azure AD credentials, tenant ID, client ID, and client secret, allowing it to silently authenticate via OAuth2 and communicate through a designated Outlook mailbox folder named “Zomato Pizza”.
Every two seconds, the backdoor polls that folder for emails with subjects beginning with “Input.” Commands are decrypted using AES-CBC and executed via /bin/bash -c.
Results are encrypted and emailed back under the subject line “Output,” after which the original message is deleted via an HTTP DELETE request to erase evidence.
Despite targeting different operating systems, both the Linux and Windows variants share an almost identical codebase, including the same AES encryption key (b14ca5898a4e4133bbce2ea2315a1916) and identical hardcoded typos in function names ExecuteCommand and DeleteMessage, strongly suggesting a single developer built both tools.
The key differences lie in architecture and beacon timing: the Linux variant targets i386 and polls every two seconds, while the Windows version uses an x64 DLL and sleeps for five minutes on HTTP 204 responses.
Initial VirusTotal submissions originated from India and Afghanistan, consistent with Harvester’s historical focus on South Asia.
Decoy documents referencing Indian cultural and political topics reinforce a highly tailored, regionally focused espionage operation.
Harvester is believed to be a nation-state-backed threat actor active since at least 2021.
Organizations, especially government and enterprise targets in South Asia, should monitor for unusual Microsoft Graph API authentication patterns, audit OAuth2 app registrations, and block unauthorized ELF binaries masquerading as document files. For updated detection signatures, refer to the Symantec Protection Bulletin.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
