Full Report
Campaign appears to have been targeted at India and Afghanistan.
Analysis Summary
# Threat Actor: Harvester
## Attribution & Identity
- **Name:** Harvester
- **Identity:** Believed to be a nation-state-backed Advanced Persistent Threat (APT) group.
- **Associations:** Linked to activity by Symantec and Carbon Black Threat Hunter teams.
- **Related Group/Tools:** Uses a custom backdoor called **Graphon**, which shares similarities with the GoGra malware family.
## Activity Summary
- **2026 Campaign:** The group has expanded its arsenal to include a Linux-based version of their "GoGra" backdoor to complement their existing Windows espionage capabilities.
- **2021 Campaign:** Historically identified as being active since at least 2021, focusing on South Asian targets.
- **Current Operation:** Deploying custom Go-based droppers via social engineering lures to drop i386 Linux implants that leverage Microsoft cloud infrastructure for command-and-control (C2).
## Tactics, Techniques & Procedures
- **Initial Access:** Social engineering using tailored decoy documents (PDF/ODT).
- **Masquerading:** Appending extensions like `. pdf` (with a space) to ELF binaries to trick users; masquerading autostart entries as the "Conky" system monitor. [T1036]
- **Persistence:** Establishing persistence via `systemd` user units and XDG autostart entries (`~/.config/systemd/user/userservice`). [T1543.002 / T1547.001]
- **Execution:** Uses Go-based droppers to extract payloads; executes received C2 commands via `/bin/bash -c`. [T1059.004]
- **C2 Communication:**
- Abuses legitimate **Microsoft Graph API** and Outlook mailboxes. [T1102]
- Uses hardcoded Azure AD credentials (Tenant ID, Client ID, Secret) to obtain OAuth2 tokens.
- Utilizes OData queries to poll specific mailbox folders for tasks.
- **Encryption:**
- AES-CBC encryption for tasking and exfiltration.
- Hardcoded AES Key: `b14ca5898a4e4133bbce2ea2315a1916`.
- **Evasion/Cleanup:** Issues HTTP DELETE commands to wipe C2 messages from the mailbox after execution. [T1070]
## Targeting
- **Sectors:** Espionage-focused; activities suggest targeting of government/diplomatic interests (e.g., "TheExternalAffairesMinister" lure).
- **Geography:** Primarily India and Afghanistan (South Asia).
- **Victims:** General public/specific demographics in India (evidenced by Zomato and Umrah pilgrimage decoys); government officials.
## Tools & Infrastructure
- **Malware Families:**
- **GoGra:** Cross-platform backdoor (Linux and Windows variants).
- **Graphon:** Custom custom backdoor using Microsoft infrastructure.
- **Infrastructure:**
- **Legitimate Services:** Microsoft Graph API, Azure AD, and Outlook.
- **Mailbox Folders:** "Zomato Pizza" (Linux) and "Dragan Dash" (Windows).
- **Indicators (Hashes):**
- `9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82` (GoGra Linux)
- `2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1` (GoGra Linux)
- `57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943` (Lure ZIP)
## Implications
Harvester demonstrates a high level of operational maturity by adopting a multi-platform (Windows and Linux) development strategy. By using legitimate Microsoft infrastructure for C2, the group effectively blends in with normal enterprise traffic, making detection via traditional network monitoring extremely difficult. Their focus on South Asia suggests a persistent regional intelligence mandate.
## Mitigations
- **Network Monitoring:** Monitor for unusual OData queries and calls to Microsoft Graph API (`graph.microsoft[.]com`) from non-standard applications or Linux servers.
- **Endpoint Security:** Implement EDR to detect unauthorized `systemd` unit creation and XDG autostart modifications.
- **Application Control:** Restrict the execution of unknown ELF binaries and monitor for files with deceptive double extensions (e.g., `. pdf`).
- **Identity Management:** Audit Azure AD logs for the use of unauthorized Client IDs and Secrets communicating with Outlook APIs.
- **User Education:** Train staff to identify suspicious lure documents, particularly those involving ZIP files or PDFs that require manual execution steps.