Harvester expands its arsenal to Linux with Gogra for ELF and uses Outlook and Microsoft Graph as a C2 channel

A cyberespionage operation is expanding its horizons and adapting its code to attack Linux systems: the group known as Harvester - linked since 2021 to campaigns aimed at organizations in South Asia - has been observed deploying a new variant of the Gogra backdoor written in Go, explicitly designed for ELF machines. Industry researchers have pointed out that this version reuses a particularly difficult trick to detect: abuse Microsoft cloud infrastructure and use Outlook mailboxes as a covert command and control channel (C2).

The tactic is not new to the actor. In 2021, a previous implementation called Graphon was identified that already used the Microsoft Graphh API to exchange orders and exfilter information, targeting sectors such as telecommunications, public administrations and technology in the region. What is striking now is the extension of that technique to Linux with a tool written in Go, which extends the attack surface beyond traditional Windows systems. To understand the magnitude of the approach, it should be remembered that the Microsoft Graphh API is documented and legitimate - its design facilitates access to mailboxes and folders - and that's why attackers use it to camouflage their traffic between normal communications: Microsoft Graphh (documentation).

The technical details reported describe a delivery method that mixes social engineering and camouflage: the ELF binary reaches the user with PDF document appearance. When executed, it shows a decoy page to distract the victim while, in the background, the backdoor is started. Then the malware continuously consults a specific Outlook mailbox folder - deliberately mundane named "Zomato Pizza" - by doing OData queries to check for new instructions. The OData queries for Microsoft Graphh and folder handling are explained in the official documentation: OData queries and parameters in Microsoft Graphh.

The control mechanism is surprisingly simple and effective. The implant reviews the messages whose matter begins with the word "Input." If you find one, take your encoded body in Base64, disfigure it and run it using / bin / bash. The results of the execution are encapsulated and sent back to the operator by mail with a matter starting with "Outlook." After completing the exfiltration task, the implant erases the original task message to make the forensic investigation difficult. This technique takes advantage of the legitimacy of the mail service to evade detections based on suspicious network traffic.

The case discoverers also point to coincidences in encoded artifacts and typographic errors in the same way between the Windows version and the new Linux version, suggesting that the same team or developer has moved and adapted its C2 logic between platforms. This "signature" feature of the author, along with detected charges that were uploaded to public platforms from India and Afghanistan, points out that current campaigns would be targeted in these countries, although geolocation of samples in services such as VirusTotal does not always amount to the location of the victims or the operator: VirusTotal.

The investigation and dissemination of this finding have involved teams specialized in threat fighters, and initial analyses were shared with specialized means to accelerate public awareness. Reports from industry actors such as Symantec and response and threat-hunting teams have been cited by the security press; the dissemination of these observations seeks to help defenders and administrators identify unusual patterns of access to mailboxes and adjust cloud controls. See public notes on trends and warnings in industry blogs helps contextualize these campaigns: Symantec Enterprise Blogs and analysis of safety equipment such as VMware / Carbon Black on their official channels.

Why is this approach dangerous? Because it transforms legitimate services into the attacker's communication channels. By using the mail provider's own cloud infrastructure, traffic blending with normal communications, which reduces the likelihood that traditional defensive systems based on perimeter anomaly detection will label it as malicious. In addition, when operating from a mail box, many of the conventional alarm signals - connections to unknown servers, malicious domains or encrypted traffic to command infrastructure - are attenuated or disappear.

For the organizations affected or at risk, defensive measures are not trivial but clear: to strengthen access controls to APIs and permits, to monitor activity patterns in mailboxes (for example, very frequent scheduled access or mass deletion of messages), to tighten the inspection of attachments and to educate staff against deception that lead to binary execution disguised as documents. The integration of detection and response solutions into endpoints and cloud environments, along with mail behavior analysis, helps to raise earlier alarm signals.

This evolution of the Harvester arsenal highlights a recurring lesson in cybersecurity: the attackers do not need their own infrastructure if they can reuse reliable and legitimate services for their communications. The portability of the backdoor to Linux and its implementation in Go also show that threat developers seek to cover different types of devices and servers, forcing them to defend with a multi-platform vision.

If you want to deepen how Microsoft Graphh works or review good practices to protect APIs and mailboxes, Microsoft documentation and community analysis are a good starting point: Microsoft Graphh. To check suspicious samples and their public record, VirusTotal maintains file and metadata repositories that can be useful for researchers. And to follow the media and technical coverage of this particular incident, consult specialized resources such as The Hacker News and the publications of the threat teams in the official blogs of the industry.

In essence, we are facing a campaign that confirms the tendency of the attackers to adapt tools already tested to new environments, and to exploit legitimate services to persist and communicate. The recommendation is clear: prioritize cloud and endpoints visibility, review API permissions and take proactive measures of digital hygiene before a covert intrusion becomes a major incident.