New GoGra Malware for Linux Uses Microsoft Graph API for Command and Control

What happened

Symantec researchers have analyzed a Linux variant of the GoGra malware, developed by Harvester, a state-backed espionage group active since at least 2021 with a documented focus on telecommunications, government, and IT organizations in South Asia.

The Linux version of GoGra gains initial access by tricking victims into executing ELF binaries disguised as PDF files. A Go-based dropper then deploys an i386 payload that establishes persistence via systemd and an XDG autostart entry posing as the legitimate Conky system monitor. What makes GoGra particularly evasive is its command-and-control mechanism: the malware uses hardcoded Azure Active Directory credentials to authenticate to Microsoft’s cloud, obtain OAuth2 tokens, and interact with an Outlook mailbox via the Microsoft Graph API.

Every two seconds, the malware checks an Outlook folder named “Zomato Pizza” for incoming emails with subject lines beginning with “Input.” It decrypts the base64-encoded, AES-CBC-encrypted message contents and executes the resulting commands locally. Results are AES-encrypted and returned to the operator via reply emails with the subject “Output.” After processing each command, the malware issues an HTTP DELETE request to remove the original email, reducing forensic visibility.

Symantec notes that the Linux variant shares a nearly identical codebase with the Windows version of GoGra, including the same typos in strings, function names, and AES key, strongly indicating both were built by the same developer. The emergence of a Linux variant signals that Harvester is expanding its targeting scope beyond Windows environments.

Who is affected

Telecommunications providers, government agencies, and IT organizations in South Asia are Harvester’s established targets. The Linux variant broadens the group’s reach to server and infrastructure environments that Windows-focused tooling cannot reach. Any organization in these sectors running Linux infrastructure with internet-connected endpoints faces potential exposure.

Why CISOs should care

Using a legitimate Outlook inbox as a command-and-control channel is a deliberate evasion strategy. Network monitoring tools that flag unusual outbound connections to unknown infrastructure will not catch traffic to Microsoft Graph API endpoints, because that traffic looks identical to normal Microsoft 365 usage. The DELETE-after-execution behavior compounds the problem by actively degrading the forensic record.

For security teams relying on network-layer detection, GoGra is a reminder that traffic to trusted cloud infrastructure can carry malicious instructions. Behavioral detection at the endpoint level is the more reliable signal here.

3 practical actions

1. Implement behavioral detection for anomalous Microsoft Graph API usage: Monitor for processes making repeated, automated calls to Graph API endpoints at regular intervals, particularly from non-standard applications or system processes, which is the pattern GoGra’s two-second polling creates.
2. Audit Azure AD application registrations and OAuth token issuance: Hardcoded Azure AD credentials suggest the malware relies on a registered application or stolen credentials to authenticate. Review your tenant’s registered applications and OAuth token grants for entries that cannot be attributed to legitimate tooling.
3. Inspect Linux persistence mechanisms on sensitive infrastructure: Review systemd service entries and XDG autostart configurations on Linux servers and endpoints for entries impersonating legitimate tools like Conky, particularly on systems in telecommunications, government, or IT environments where Harvester has historically operated.