Harvester, an APT group, has expanded its toolset with a new Linux version of the GoGra backdoor. This malware leverages the Microsoft Graph API and Outlook mailboxes for covert command-and-control communication, using hardcoded Azure AD credentials to poll a mailbox folder at two-second intervals. Commands are received via encrypted emails, and results are exfiltrated through reply messages. The malware uses social engineering lures with decoy documents to mask malicious ELF files. The Linux variant's code closely matches a previously known Windows version, including identical spelling errors, indicating a shared development lineage. Initial VirusTotal submissions came from India and Afghanistan, suggesting these as primary target regions. There is no indication of known exploits in the wild or official patches.

This malware enables persistent covert command-and-control communication on infected Linux systems via legitimate Microsoft cloud services, potentially allowing the attacker to execute arbitrary commands and exfiltrate data stealthily. The use of hardcoded Azure AD credentials and polling of mailbox folders every two seconds facilitates continuous control and data theft. The social engineering aspect increases the likelihood of initial infection. The targeting of South Asian regions indicates a focused espionage campaign. No known exploits in the wild have been reported yet.

No official patch or remediation guidance is currently available for this threat. Organizations should monitor for indicators of compromise such as the provided file hashes and unusual use of Microsoft Graph API or mailbox polling behaviors. Since this malware uses hardcoded credentials and mailbox polling, restricting and monitoring Azure AD credentials and mailbox access may help detect or limit impact. Follow vendor advisories and threat intelligence updates for any future remediation or detection tools. No cloud service patching applies as this is not a cloud-hosted service.