Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 11:57 UTC
4110 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

Harvester Deploys Linux GoGra Backdoor Using Microsoft Graph API in South Asia

Thirumala Rao Padilam Thirumala Rao Padilam April 22, 2026
Harvester Deploys Linux GoGra Backdoor Using Microsoft Graph API in South Asia

Security researchers have identified a new Linux variant of the GoGra backdoor linked to the threat actor Harvester in attacks aimed at organizations in South Asia. The backdoor leverages the legitimate Microsoft Graph API and Outlook mailboxes to establish covert command-and-control channels, enabling it to evade conventional network defenses.

What happened

Researchers from Symantec and Carbon Black Threat Hunter have attributed a new Linux version of the GoGra backdoor to the threat actor known as Harvester. This malware uses Microsoft's legitimate Graph API and Outlook mailboxes as communication channels to issue commands and receive data from infected machines. The command-and-control (C2) mechanism embedded in this backdoor allows it to bypass traditional perimeter security measures, such as firewalls and network monitoring systems.

The deployment of this backdoor has been observed in attacks likely targeting entities within the South Asia region, indicating a focused geographic campaign by Harvester. The use of legitimate APIs and services highlights a sophisticated approach to stealth and persistence in the operational environment of the threat actor.

Why it matters

The use of trusted and widely used Microsoft services like Graph API and Outlook for command-and-control operations presents a significant challenge to defenders. Traditional network defenses are often configured to allow traffic to these trusted cloud services, which the malware exploits to maintain stealth and continuity.

This campaign underscores the evolving tactics of threat actors in leveraging legitimate cloud infrastructure to conduct malicious activities while minimizing detection risk. Organizations, especially those in the affected region, need to be aware of this emerging threat vector to adjust their monitoring and response strategies accordingly.

What security teams should do

Security teams should closely monitor API usage and email traffic patterns associated with Microsoft Graph and Outlook mailboxes for unusual or unauthorized activities. Implementing enhanced logging and behavioral analytics on API calls can help detect abnormal command encryption or data exfiltration attempts.

Since the malware uses legitimate services for C2, thorough reviews of access permissions granted to external applications and service accounts are advisable. Applying network segmentation principles and zero-trust models can reduce the risk surface for such covert communications.

Key technical details

The GoGra backdoor deployed by Harvester in this campaign is a Linux-based malware variant that communicates with its operators by leveraging the Microsoft Graph API alongside Outlook mailboxes. This approach enables the malware to send and receive commands through standard Microsoft cloud service operations, effectively masking its communications.

By tunneling C2 traffic via Microsoft APIs and mailboxes, the malware evades detection by conventional cybersecurity tools that typically rely on monitoring suspicious outbound connections or anomalous traffic patterns. This technique also complicates removal efforts as compromised systems may appear to interact normally with trusted cloud resources.

Affected organizations/products

The attacks have been observed targeting organizations within South Asia, although the specific industries or entities have not been detailed in the available reports.

Source attribution

https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!