**Harvester** APT, known for targeting entities in South Asia, is now utilizing a Linux version of its **GoGra** backdoor. According to a report by the **Symantec** and **Carbon Black** Threat Hunter Team, the malware employs the legitimate **Microsoft** Graph API and Outlook mailboxes as a covert command-and-control (C2) channel. This allows it to evade standard perimeter network defenses. The cybersecurity firm discovered artifacts uploaded to **VirusTotal** from India and Afghanistan, suggesting these countries are the primary targets of this espionage campaign. ### Harvester's History **Harvester** was first documented by **Symantec** in late 2021. They were linked to an information-stealing campaign targeting telecommunications, government, and IT sectors in South Asia since June 2021. The group used a custom implant called Graphon, which also used the **Microsoft** Graph API for C2. In August 2024, the group was connected to an attack on a media organization in South Asia. This attack involved a previously unseen Go-based backdoor named **GoGra**. The latest findings show that **Harvester** is expanding its arsenal beyond Windows, now targeting Linux machines with a new variant of the same backdoor. ### Technical Details of the Attack The attacks use social engineering to trick victims into opening ELF binaries disguised as PDF documents. The dropper displays a decoy document while silently deploying the backdoor. Like the Windows version, the Linux **GoGra** abuses **Microsoft**'s cloud infrastructure. It contacts a specific Outlook mailbox folder named "Zomato Pizza" every two seconds using Open Data Protocol (OData) queries. The backdoor scans the inbox for incoming email messages with a subject line starting with "Input." When a matching email is found, the backdoor decrypts the Base64-encoded message body and executes it as shell commands using `/bin/bash`. The execution results are sent back to the operator in an email with the subject line "Output." After exfiltration, the implant wipes the original tasking message to conceal its activity. ### Similarities Across Platforms **Symantec** and **Carbon Black** noted that despite differences in deployment architectures and operating systems, the underlying C2 logic remains consistent. They also found identical, hard-coded spelling errors across both platforms, suggesting that the same developer is responsible for both tools. This new Linux backdoor signifies **Harvester**'s ongoing efforts to broaden its toolset and actively develop new capabilities. This allows them to target a wider range of victims and machines.