Microsoft Graph API misused by new GoGra Linux malware for hidden communication

Staff Editor 2026-04-23
Microsoft Graph API misused by new GoGra Linux malware for hidden communication

Microsoft Graph API misused by new GoGra Linux malware for hidden communication

https://securityaffairs.com/191153/uncategorized/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication.html

Publish Date: 2026-04-23 03:50:00

Source Domain: securityaffairs.com

Microsoft Graph API misused by new GoGra Linux malware for hidden communication

Pierluigi Paganini
April 23, 2026

A new GoGra Linux malware uses Microsoft Graph API and an Outlook inbox to deliver payloads, making it stealthy and hard to detect.

A new Linux version of the GoGra backdoor uses Microsoft’s Graph API and an Outlook inbox to deliver malicious payloads stealthily. The malware is linked to the Harvester cyberespionage group, which is believed to be a nation-state actor. The malicious code blends in with legitimate traffic, making detection more difficult and increasing its effectiveness in targeted cyber espionage operations.

“The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses.” reads the report published by Broadcom Symantec. “The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities.”

Initial evidence suggests the campaign targeted South Asia, with early samples submitted from India and Afghanistan and the use of localized decoy documents indicating a tailored approach. The Harvester group, active since at least 2021 uses both custom malware and public tools, including Graphon, a backdoor similar to GoGra that relies on Microsoft infrastructure for command-and-control.

The GoGra backdoor abuses Microsoft cloud services by using hardcoded Azure AD credentials to obtain OAuth2 tokens. It polls a specific Outlook mailbox folder via Microsoft Graph API, looking for emails with commands. These are decrypted and executed on the system, while…

Source

More Stories

Linuxiac Weekly Wrap-Up: Week 23, 2026 (June 1

Linuxiac Weekly Wrap-Up: Week 23, 2026 (June 1

Staff Editor 2026-06-07
HandBrake fixes 2-pass encode crashes, WebM on Linux

HandBrake fixes 2-pass encode crashes, WebM on Linux

Staff Editor 2026-06-07
Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy