Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
Essential information
- Published
- 01/05/2026 19:53
- Modified
- 04/05/2026 14:33
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- gogra harvester microsoft graph api
- Tags
- 2026-05-01 gogra harvester microsoft graph api
- Related entities
- 5 indicators, 5 observables, 1 intrusion sets (apt), 15 techniques (mitre), 2 malware, 3 others
Description
The Harvester APT group has developed a new Linux version of its GoGra backdoor that uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel. The malware employs social engineering lures with tailored decoy documents, masquerading malicious ELF files as standard documents. Initial VirusTotal submissions originated from India and Afghanistan, indicating these regions as primary targets. The backdoor uses hardcoded Azure AD credentials to poll a specific mailbox folder at two-second intervals, executing commands received via encrypted emails and exfiltrating results through reply messages. Analysis confirms this Linux variant shares nearly identical code with a previously known Windows version, including matching spelling errors, demonstrating Harvester's multi-platform development strategy and continued focus on South Asian espionage operations.