Harvester APT Goes Cross-Platform: New Linux Backdoor Abuses Microsoft Graph API
Ddos 
The sophisticated threat actor known as Harvester is expanding its horizons. Traditionally known for targeting Windows environments, the group has now developed a “highly-evasive, Linux version of its GoGra backdoor”. This development, uncovered by the Symantec and Carbon Black Threat Hunter Team, signals a calculated move by the nation-state-backed group to broaden its espionage capabilities across different operating systems.
Active since at least 2021, Harvester has historically focused on victims in South Asia, particularly in India and Afghanistan.
The most striking feature of the new Linux implant is its command-and-control (C2) strategy. Rather than communicating with a suspicious, unknown domain, the malware “uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel”.
By leveraging trusted infrastructure, the backdoor effectively “allows it to bypass traditional perimeter network defenses”. The technical execution is surgical:
- Authentication: The malware contains hardcoded Azure AD credentials (tenant ID, client ID, and secret) to request legitimate OAuth2 tokens.
- Polling: It uses OData queries to check a specific Outlook folder—named “Zomato Pizza”—every two seconds for new instructions.
- Execution: Commands are delivered via emails with the subject ‘Input’, decrypted using AES-CBC, and executed via /bin/bash.
- Cleanup: After emailing the results back to the attacker, the implant “issues an HTTP DELETE command to wipe the original tasking message and remove evidence of its presence”.
Harvester employs social engineering to gain its initial foothold. Attackers deploy tailored decoy documents, often referencing regional themes like “Zomato Pizza” (a popular Indian food delivery service) or “umrah.pdf” (referencing the Islamic pilgrimage to Mecca).
To trick Linux users, the group uses a clever file-naming trick. They “masquerade malicious ELF files as standard document files by appending extensions like ‘. pdf’, with a subtle space between the filename and the extension”. This ensures the file appears as a document to the user but executes as a binary on a Linux system.
Once active, the malware ensures its survival by:
- Writing its payload to ~/.config/systemd/user/userservice.
- Setting up a systemd user unit for persistence.
- Creating an XDG autostart entry that “actively masquerades as the legitimate ‘Conky’ Linux system monitor”.
The connection between this Linux threat and Harvester’s previous Windows campaigns isn’t just based on infrastructure—it’s written in the code. Analysts found that the two variants share a “nearly identical underlying codebase” and even the same developer-induced spelling errors.
“Analysts also identified several matching, hardcoded spelling errors across both platforms, which points towards the same developer being behind both tools,” the researcher confirms.
Specific cross-platform typos include function names like ExcuteCommand and Deleteing Message, as well as string errors like error occured in decryption :.
| Feature | Linux Variant | Windows Variant |
| Target Mailbox Folder |
Zomato Pizza |
Dragan Dash |
| AES Encryption Key |
|
|
| Internal Go Package |
|
|
The arrival of this Linux backdoor proves that Harvester is “actively expanding its cross-platform capabilities” to reach a wider range of high-value targets. As the group continues to refine its use of legitimate cloud services for espionage, defenders must look beyond traditional network indicators and monitor for unauthorized or anomalous use of cloud APIs like Microsoft Graph.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
