Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor

Staff Editor 2026-04-22
Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor

Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor

https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra

Publish Date: 2026-04-22 10:28:00

Source Domain: www.security.com

The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses.

The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities.

While we did not observe victims in this campaign, initial VirusTotal submissions originated from India and Afghanistan, which indicates that these regions were the primary targets of this espionage activity. Also, the use of localized decoy documents highlights a tailored approach that may be aimed at a specific regional demographic. Historically, Harvester has targeted victims in South Asia.

Harvester is believed to be a nation-state-backed group that has been active since at least 2021. It is known to use both custom malware and publicly available tools in its attacks. One of its tools is a custom backdoor called Graphon, which has similarities with GoGra and also uses Microsoft infrastructure for its C2 activity.

Attack chain

The attackers use social engineering lures to gain initial access to victim networks by deploying tailored decoy documents. The attackers actively masquerade malicious ELF files as standard document files by appending extensions like “. pdf”, with a subtle space between the filename and the extension to ensure that the file still executes as a Linux binary. Depending on the specific campaign, the dropper displays either a PDF or an OpenDocument Text (ODT) file disguised as a PDF. One decoy document masqueraded as material from “Zomato Pizza”. Zomato is a popular Indian food delivery service. Another was named umrah.pdf, referencing the Islamic pilgrimage to Mecca.  Other examples of deceptive filenames…

Source

More Stories

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Staff Editor 2026-06-07
Developer Turns Azure Linux 4 Into Bootable Desktop-App

Developer Turns Azure Linux 4 Into Bootable Desktop-App

Staff Editor 2026-06-07
CISA Flags Actively Exploited Linux Kernel Vulnerability

CISA Flags Actively Exploited Linux Kernel Vulnerability

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy