Harvester APT Port GoGra Backdoor to Linux, Abuses Microsoft Graph API for C2

The Harvester threat group has expanded its Linux tooling with a port of the GoGra backdoor, previously seen only on Windows, and is using it against targets in South Asia. The malware routes command-and-control traffic through the Microsoft Graph API, piggybacking on legitimate Outlook mailboxes to blend with normal enterprise cloud traffic and evade network-level detection.

Operator instructions are staged as draft emails inside attacker-controlled tenants, which GoGra reads, executes, and replies to through the same API. Because the transport is a sanctioned Microsoft endpoint over HTTPS, signature-based egress filtering and domain reputation tooling see nothing anomalous — the hostnames and certificates all belong to Microsoft.

The shift to Linux reflects where Harvester’s targets actually run sensitive workloads: telecoms, government infrastructure, and backend services in the region. Detection leans on identity-layer signals — anomalous Graph API consent grants, unusual draft-folder activity, and OAuth tokens issued to non-human clients — rather than on network indicators, which this design deliberately starves.