Full Report
The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter
Analysis Summary
# Threat Actor: Harvester
## Attribution & Identity
* **Name:** Harvester
* **Aliases:** None mentioned in the text (Note: The article mentions LightBasin in a hyperlinked reference, but identifies the primary actor for this campaign as Harvester).
* **Associations:** Linked to the development of the Graphon and GoGra malware families.
## Activity Summary
The actor was recently observed deploying a new Linux-based version of its **GoGra** backdoor. This follows a history of activity dating back to at least June 2021. Most recently, artifacts were identified in India and Afghanistan (April 2026), and a campaign targeting a media organization in South Asia was flagged in August 2024.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses ELF binaries disguised as PDF documents to trick users into execution.
* **Execution via Dropper:** Employs droppers that display a lure document while simultaneously executing the backdoor in the background.
* **Cloud API Abuse:** Leverages the **Microsoft Graph API** to interact with legitimate Outlook mailboxes for Command and Control (C2).
* **Covert C2 Communication:**
* Uses OData (Open Data Protocol) queries to poll a specific Outlook folder (named "Zomato Pizza") every two seconds.
* Polls for emails with the subject line "Input."
* **Command Execution:** Decrypts Base64-encoded email bodies and executes them as shell commands via `/bin/bash`.
* **Exfiltration:** Sends command output back via email with the subject line "Output."
* **Anti-Forensics:** Deletes the original tasking email message after execution to remove traces of activity.
* **Cross-Platform Development:** Maintains feature parity and matching code artifacts (including specific spelling errors) across Windows and Linux versions.
**MITRE ATT&CK IDs (Inferred from TTPs):**
* **T1566.001:** Phishing: Spearphishing Attachment
* **T1102.002:** Web Service: Bidirectional Communication (Microsoft Graph API)
* **T1059.004:** Command and Scripting Interpreter: Unix Shell
* **T1071.003:** Application Layer Protocol: Mail Protocols
* **T1070.004:** Indicator Removal: File Deletion
## Targeting
* **Sectors:** Telecommunications, Government, Information Technology, and Media.
* **Geography:** Primarily South Asia, with specific activity noted in **India** and **Afghanistan**.
* **Victims:** An unnamed media organization in South Asia; specific entities in India and Afghanistan.
## Tools & Infrastructure
* **Malware Families:**
* **GoGra:** A Go-based backdoor (Windows and Linux variants).
* **Graphon:** A custom implant used in earlier campaigns for information stealing.
* **Infrastructure:**
* Legitimate Microsoft Cloud Infrastructure (Outlook/Microsoft Graph API).
* C2 Channel: Mailbox folder named "Zomato Pizza".
## Implications
Harvester is a persistent espionage threat that is actively evolving its capabilities. By adopting a Linux variant of GoGra, the actor has demonstrated a commitment to cross-platform targeting, allowing them to compromise servers and specialized workstations that traditional Windows-centric defenses might overlook. Their reliance on legitimate Microsoft Graph API traffic makes their activity highly difficult to distinguish from normal enterprise cloud traffic, effectively bypassing perimeter network defenses.
## Mitigations
* **Cloud Monitoring:** Monitor Microsoft Graph API logs for unusual OData queries or high-frequency polling from unexpected binaries/endpoints.
* **Endpoint Security:** Implement robust EDR/XDR solutions on Linux environments to detect unauthorized shell execution via `/bin/bash` originating from suspicious ELF files.
* **Email Security:** Inspect internal mailbox activity for unauthorized folder creation or specific subject line patterns ("Input"/"Output") that deviate from standard business use.
* **User Training:** Educate users on the risks of opening executable files (ELF) even when they appear to have document-like icons or names.
* **Network Filtering:** Restrict or audit connections to Microsoft Graph API endpoints from non-essential server assets.