Harvester Deploys Linux GoGra Backdoor via Microsoft Graph API Targeting South Asian Entities
What Happened – The threat group Harvester has released a Linux variant of its GoGra backdoor. The malware leverages Microsoft Graph API and compromised Outlook mailboxes as a covert command‑and‑control channel, allowing it to blend in with legitimate Office 365 traffic. Initial telemetry points to campaigns focused on organizations operating in South Asia.
Why It Matters for TPRM –
- Abuse of a trusted cloud service (Microsoft Graph) can bypass traditional perimeter controls, increasing risk for any third‑party relying on Office 365.
- The backdoor’s Linux focus expands the attack surface to cloud‑hosted workloads and SaaS environments often managed by MSPs.
- Early detection is difficult; TPRM programs must verify that vendors enforce strict API usage monitoring and mailbox hygiene.
Who Is Affected – Cloud‑hosted service providers, MSPs, enterprises using Microsoft 365, and any downstream vendors with Linux‑based workloads in the South Asian region.
Recommended Actions –
- Review contracts for clauses requiring continuous monitoring of cloud API activity and mailbox security.
- Validate that vendors have deployed Microsoft Defender for Cloud or equivalent detection for anomalous Graph API calls.
- Require evidence of least‑privilege configurations for service accounts and regular audit of Outlook mailbox access logs.
Technical Notes – The GoGra payload is written in Go, compiled for Linux, and communicates via encrypted Graph API requests embedded in Outlook messages. No public CVE is associated; the technique exploits legitimate API endpoints rather than a software flaw. Data exfiltrated may include credentials, internal documents, and system metadata. Source: The Hacker News