The Harvester APT group expanded its GoGra backdoor to Linux, leveraging Microsoft Graph API and Outlook mailboxes for stealthy command-and-control communications. The malware uses hardcoded Azure AD credentials to poll mailboxes frequently, executing commands received via email and exfiltrating results back to operators. Social engineering tactics include tailored decoy documents with regional references to Indian food delivery services. Code analysis shows near-identical code with the Windows version, including matching spelling errors, demonstrating the group's cross-platform development and focus on South Asia espionage. No CVE or patch information is available, and no known exploits in the wild have been reported.

This backdoor enables persistent, covert remote control of infected Linux systems by abusing legitimate Microsoft cloud services for command-and-control, potentially bypassing traditional network defenses. It allows attackers to execute arbitrary commands and exfiltrate sensitive data stealthily. The targeting of India and Afghanistan suggests espionage motives focused on South Asia. The use of hardcoded credentials and frequent mailbox polling increases the risk of detection if monitored but also indicates sophisticated operational tradecraft.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this threat abuses hardcoded Azure AD credentials and Microsoft Graph API, organizations should monitor for unusual mailbox access patterns and consider rotating credentials and enforcing multi-factor authentication. Users should be cautious of social engineering lures, especially documents referencing local services. Network defenders should analyze mailbox activity and endpoint behaviors for signs of this backdoor. No official fix or patch is currently documented.