GoGra Linux backdoor abuses Microsoft Graph API and Outlook for C2

Symantec has identified a Linux build of the GoGra backdoor attributed to Harvester, a state-aligned espionage group active since 2021 against telecom, government, and IT targets across South Asia. Victims are lured into running ELF binaries masquerading as PDFs, after which a Go-based dropper installs an i386 payload and persists via systemd and an XDG autostart entry disguised as the Conky system monitor.

Command-and-control rides entirely on legitimate Microsoft infrastructure. Hardcoded Azure AD credentials mint OAuth2 tokens that let the implant poll an Outlook folder named “Zomato Pizza” every two seconds via Microsoft Graph API. Messages with subject “Input” carry base64/AES-CBC-encrypted commands; results are encrypted and returned as “Output” replies, and the original command email is deleted over HTTP to limit forensic trace.

The Linux codebase mirrors the Windows GoGra variant down to identical typos, function names, and AES key, confirming a single developer. The port signals Harvester broadening its reach beyond Windows estates and underscores how Graph API abuse continues to launder malicious traffic through trusted Microsoft 365 tenants, where it blends into normal mailbox activity and evades network-based detection.