Linux Variant of GoGra Backdoor Exploits Microsoft Outlook for Stealthy Payload Delivery

A newly identified Linux variant of the GoGra backdoor leverages Microsoft Graph API to communicate through Outlook mailboxes, marking a significant evolution in espionage malware targeting Linux systems. The malware, developed by the state-backed espionage group Harvester, uses legitimate Microsoft infrastructure to evade detection while delivering payloads and exfiltrating data.

According to analysis by Symantec researchers, the Linux GoGra variant establishes initial access by tricking victims into executing ELF binaries disguised as PDF files. Once deployed, a Go-based dropper installs an i386 payload and establishes persistence via systemd and an XDG autostart entry that masquerades as the legitimate Conky system monitor for Linux and BSD systems.

The malware authenticates to Microsoft’s cloud using hardcoded Azure Active Directory credentials to obtain OAuth2 tokens, enabling interaction with Outlook mailboxes through the Microsoft Graph API. It monitors a specific folder named “Zomato Pizza” in the compromised Outlook account every two seconds, using OData queries to detect incoming emails with subject lines beginning with “Input.”

Upon identifying such messages, the malware decrypts their base64-encoded and AES-CBC-encrypted contents to extract and execute commands locally. The results of these executions are then AES-encrypted and transmitted back to the attackers via reply emails with subject lines labeled “Output.” To minimize forensic traces, the malware issues HTTP DELETE requests to remove the original command email after processing.

Harvester, the group behind the malware, has been active since at least 2021 and is known to develop custom tools including backdoors and loaders for campaigns targeting telecommunications, government, and IT organizations across South Asia. The use of Microsoft Graph API allows the malware to blend malicious activity with legitimate cloud service traffic, significantly reducing its visibility to conventional security monitoring tools.

This development reflects a broader trend in which threat actors abuse trusted cloud platforms like Microsoft Outlook and Graph API for command-and-control operations. Similar tactics have been observed in other malware families such as NotDoor, used by APT28 to target Outlook users via VBA-based backdoors, and FINALDRAFT, a post-exploitation framework that also uses email drafts for communication via Microsoft Graph API.

The reliance on legitimate cloud services for malicious purposes underscores the growing challenge defenders face in distinguishing between benign and harmful activity within authorized enterprise environments. As attackers continue to refine techniques that abuse trusted infrastructure, detection strategies must evolve beyond signature-based methods to include behavioral analysis of API usage and mailbox interactions.