A threat actor known as Harvester has deployed a Linux version of its GoGra backdoor in attacks likely aimed at entities in South Asia, with artifacts uploaded from India and Afghanistan, according to a technical analysis by Symantec and Carbon Black Threat Hunter Team.
KEY FACTS
- Targeting Artifacts were uploaded from India and Afghanistan.
- Delivery Victims were tricked into opening ELF binaries disguised as PDF files.
- Command channel The backdoor uses Microsoft Graph API and Outlook mailbox folders for control.
- History Harvester was first linked to South Asia espionage activity in 2021.
The latest variant extends the group’s toolset beyond Windows and onto Linux systems. The report says the malware contacts a specific Outlook mailbox folder named “Zomato Pizza” every two seconds using Open Data Protocol queries.
The backdoor scans for incoming messages with subjects that begin with “Input.” When a matching email arrives, it decrypts the Base64-encoded body and runs the content as shell commands through /bin/bash.
The output is then sent back in an email message with the subject line “Output.” After the task is complete, the implant deletes the original message, which can make the activity harder to trace. The disclosure said matching hard-coded spelling errors in the Windows and Linux tools suggest the same developer is behind both.
Harvester was previously tied to a 2021 campaign that targeted telecommunications, government and information technology sectors in South Asia. In 2024, the group was linked to a separate attack on a media organization with a Go-based backdoor.
WHY IT MATTERS
The Linux variant shows the group is still developing new tools and broadening the range of systems it can reach. Using cloud email services as a covert control channel may also help the malware blend in with normal traffic and bypass perimeter defenses.