Harvester has deployed a new Linux variant of its GoGra backdoor that leverages the Microsoft Graph API and Outlook mailboxes as a covert C2 channel. Symantec and Carbon Black tied artifacts to India and Afghanistan and noted the implant polls an Outlook folder named “Zomato Pizza” for Base64-encoded commands before executing them, indicating Harvester is expanding beyond Windows. #Harvester #GoGra
Keypoints
- Harvester released a Linux GoGra backdoor that retains the same C2 logic as its Windows counterpart.
- The backdoor abuses the Microsoft Graph API to poll an Outlook folder named “Zomato Pizza” every two seconds for tasking.
- Victims are tricked into running ELF binaries disguised as PDF documents that show a decoy while the dropper runs the backdoor.
- Incoming messages with subjects starting “Input” are decrypted and executed via /bin/bash, with results exfiltrated as emails titled “Output” and then deleted.
- Artifacts uploaded from India and Afghanistan suggest the campaign targets South Asian entities and that Harvester is actively expanding its tooling.
Read More: https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html