{"id":234591,"date":"2026-04-23T03:50:00","date_gmt":"2026-04-23T07:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication\/"},"modified":"2026-04-23T04:25:09","modified_gmt":"2026-04-23T08:25:09","slug":"microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication\/","title":{"rendered":"Microsoft Graph API misused by new GoGra Linux malware for hidden communication"},"content":{"rendered":"

Microsoft Graph API misused by new GoGra Linux malware for hidden communication<\/a><\/p>\n

https:\/\/securityaffairs.com\/191153\/uncategorized\/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication.html<\/a><\/p>\n

Publish Date: 2026-04-23 03:50:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

Microsoft Graph API misused by new GoGra Linux malware for hidden communication<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ April 23, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

A new GoGra Linux malware uses Microsoft Graph API and an Outlook inbox to deliver payloads, making it stealthy and hard to detect.<\/h2>\n

A new Linux version of the GoGra backdoor uses Microsoft\u2019s Graph API and an Outlook inbox to deliver malicious payloads stealthily. The malware is linked to the Harvester cyberespionage group, which is believed to be a nation-state actor. The malicious code blends in with legitimate traffic, making detection more difficult and increasing its effectiveness in targeted cyber espionage operations.<\/p>\n

\u201cThe Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses.\u201d reads the report published by Broadcom Symantec. \u201cThe Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities.\u201d<\/p>\n

Initial evidence suggests the campaign targeted South Asia, with early samples submitted from India and Afghanistan and the use of localized decoy documents indicating a tailored approach. The Harvester group, active since at least 2021 uses both custom malware and public tools, including Graphon, a backdoor similar to GoGra that relies on Microsoft infrastructure for command-and-control.<\/p>\n

The GoGra backdoor abuses Microsoft cloud services by using hardcoded Azure AD credentials to obtain OAuth2 tokens. It polls a specific Outlook mailbox folder via Microsoft Graph API, looking for emails with commands. These are decrypted and executed on the system, while…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Graph API misused by new GoGra Linux malware for hidden communication https:\/\/securityaffairs.com\/191153\/uncategorized\/microsoft-graph-api-misused-by-new-gogra-linux-malware-for-hidden-communication.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":234592,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/04\/image-74.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,34],"class_list":["post-234591","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234591"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=234591"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234591\/revisions"}],"predecessor-version":[{"id":234593,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234591\/revisions\/234593"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/234592"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=234591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=234591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=234591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}