New GoGra Malware for Linux Uses Microsoft Graph API for Comms

The emergence of a Linux GoGra variant that talks to Outlook through Microsoft Graph API marks a notable shift in how threat actors exploit legitimate cloud services. By using hard‑coded Azure AD credentials to obtain OAuth2 tokens, the malware sidesteps traditional network‑level defenses and blends its traffic with normal Microsoft 365 activity. This approach not only provides a reliable command‑and‑control channel but also leverages the built‑in security and scalability of Microsoft’s infrastructure, making detection by conventional intrusion tools more challenging.

Harvester, the suspected state‑backed group behind the campaign, has extended its toolkit beyond Windows to target Linux servers commonly found in telecom, government, and IT environments across South Asia. The initial infection vector—ELF binaries masquerading as PDF files—demonstrates a classic social‑engineering ploy, while persistence mechanisms such as systemd services and a Conky‑style XDG autostart entry show a deep understanding of Linux operational nuances. The rapid two‑second polling of the “Zomato Pizza” mailbox and the use of AES‑CBC encryption for both inbound commands and outbound results illustrate a high‑speed, low‑noise operational model designed to evade forensic analysis.

For enterprises, the key takeaway is the necessity of monitoring cloud mailbox activity for anomalous patterns, especially unexpected OAuth token requests or unexplained email traffic from service accounts. Implementing strict credential hygiene—rotating service account passwords, employing conditional access policies, and limiting Graph API scopes—can reduce the attack surface. Additionally, endpoint detection solutions should be tuned to flag unusual systemd services or autostart entries, and security teams must incorporate cloud‑native logs into their SIEM to spot the subtle indicators of this sophisticated Linux‑focused espionage campaign.