{"id":234353,"date":"2026-04-22T11:28:00","date_gmt":"2026-04-22T15:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/22\/harvester-deploys-linux-gogra-backdoor-in-south-asia-using-microsoft-graph-api\/"},"modified":"2026-04-22T11:30:09","modified_gmt":"2026-04-22T15:30:09","slug":"harvester-deploys-linux-gogra-backdoor-in-south-asia-using-microsoft-graph-api","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/22\/harvester-deploys-linux-gogra-backdoor-in-south-asia-using-microsoft-graph-api\/","title":{"rendered":"Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/harvester-deploys-linux-gogra-backdoor.html\">Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/harvester-deploys-linux-gogra-backdoor.html\">https:\/\/thehackernews.com\/2026\/04\/harvester-deploys-linux-gogra-backdoor.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-22 11:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 22, 2026<\/span><\/span><span class=\"p-tags\">Cyber Espionage \/ Malware<\/span><\/p>\n<p>The threat actor known as Harvester has been attributed to a new Linux version of its <strong>GoGra<\/strong> backdoor deployed as part of attacks likely targeting entities in South Asia.<\/p>\n<p>&#8220;The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses,&#8221; the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News.<\/p>\n<p>The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity.<\/p>\n<p>Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2.<\/p>\n<p>Subsequent activity flagged in August 2024 connected the hacking group to an attack targeting an unnamed media organization in South Asia with a never-before-seen Go-based backdoor called GoGra. The latest findings suggest that the adversary is continuing to expand its toolset beyond Windows and infecting Linux machines with a new variant of the same backdoor.<\/p>\n<p>The attacks employ social engineering to trick victims into opening ELF binaries disguised as PDF documents. The dropper then proceeds to display a lure document while stealthily running the backdoor.<\/p>\n<p>Like its Windows counterpart, the Linux version of GoGra abuses Microsoft&#8217;s cloud infrastructure to contact a specific Outlook mailbox folder named &#8220;Zomato Pizza&#8221; every two seconds using Open Data Protocol (OData) queries. The backdoor scans the inbox for incoming email messages with a subject line starting with the word &#8220;Input.&#8221;<\/p>\n<p>Once an email matching the criteria is received, it decrypts the Base64-encoded message&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/harvester-deploys-linux-gogra-backdoor.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API https:\/\/thehackernews.com\/2026\/04\/harvester-deploys-linux-gogra-backdoor.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":234354,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiptXaD_Im0Bee0znCFTtBnOBEGGfeP-lS85crmRfAsd5-sMOsHstg9jATLVQOSJF2tiQQ6qkQ2ZWK98foU4WIQU_tHja8H882jF-_oiA5UGh-iG0-ByeaGfBbjDGid-FkfsNfKQUljfBsgejRsHBiBeX1DXRbjf1ohM1uhZiKdsjpBaH_0lYylOWSA9itt\/s1600\/linux.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[35,71,32,34],"class_list":["post-234353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-hacker","tag-linux","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234353"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=234353"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234353\/revisions"}],"predecessor-version":[{"id":234355,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234353\/revisions\/234355"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/234354"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=234353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=234353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=234353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}