{
  "name": "APT Group Expands Toolset With New GoGra Linux Backdoor",
  "slug": "apt-group-expands-toolset-with-new-gogra-linux-backdoor",
  "description": "The Harvester APT group has developed a highly-evasive Linux version of its GoGra backdoor that leverages Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional network defenses. Initial VirusTotal submissions originated from India and Afghanistan, indicating these regions as primary targets. The attackers use social engineering with tailored decoy documents masquerading as legitimate files, including references to Indian food delivery services. The backdoor uses hardcoded Azure AD credentials to poll mailboxes every two seconds, executing commands received via email and exfiltrating results back to operators. Analysis confirms this Linux variant shares nearly identical code with a previously known Windows version, including matching spelling errors, demonstrating the group's multi-platform development strategy and continued expansion of capabilities targeting South Asia for espionage purposes.",
  "published": "2026-04-22T09:35:15+00:00",
  "created_at": "2026-04-22T09:35:15+00:00",
  "modified_at": "2026-04-22T13:32:22+00:00",
  "created_at_opencti": "2026-04-22T09:35:15+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-22",
    "azure ad abuse",
    "cross-platform",
    "gogra",
    "graphon",
    "linux backdoor",
    "microsoft graph api",
    "nation-state",
    "south asia espionage"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82"
      },
      {
        "id": "",
        "name": "d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123"
      },
      {
        "id": "",
        "name": "2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1"
      },
      {
        "id": "",
        "name": "74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc"
      },
      {
        "id": "",
        "name": "57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:13529dc9de602b5e",
        "name": "GoGra",
        "slug": "gogra"
      },
      {
        "id": "legacy:malware:58294bef99dae101",
        "name": "Graphon",
        "slug": "graphon"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d6afdc76-0f8f-4212-bd40-01dec3ab7953",
        "name": "Harvester",
        "slug": "harvester"
      }
    ],
    "attack_patterns": [
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "Afghanistan"
      }
    ]
  },
  "external_refs": [
    "https://www.security.com/blog-post/harvester-new-linux-backdoor-gogra",
    "https://otx.alienvault.com/pulse/69e8b27323474e048df8d7b1"
  ]
}