Linux GoGra backdoor hides commands in Outlook mailboxes using Microsoft Graph

A newly reported Linux version of the GoGra backdoor uses Microsoft Outlook mailboxes as its command channel, helping attackers blend malicious traffic into normal cloud activity. Symantec says the malware communicates through Microsoft Graph API and polls a real Outlook mailbox folder for instructions, which makes network detection much harder if defenders mostly look for suspicious direct C2 traffic.

Symantec links the malware to Harvester, an espionage-focused threat group active since at least 2021. The company says the Linux variant expands a previously known Windows campaign and points to strong code overlap between the two versions.

The campaign appears aimed at espionage, not quick monetization. Symantec’s reporting, echoed by follow-up coverage, says the group has historically targeted telecommunications, government, and IT organizations in South Asia, with the latest samples tied to submissions from India and Afghanistan.

How the infection starts

According to Symantec’s analysis, initial access begins with social engineering. Victims receive files that look like PDF documents, but the files are actually Linux ELF binaries disguised with document-style names.

Once opened, the dropper writes an i386 payload to ~/.config/systemd/user/userservice and then sets up persistence. Symantec says the malware creates both a systemd user unit and an XDG autostart entry, disguising itself as the legitimate Conky system monitor.

That matters because Linux malware often gets less public attention than Windows threats, even in mixed enterprise environments. A backdoor that survives reboots and imitates a normal user-space tool can stay in place long enough for espionage operators to move quietly. This last point is an inference based on the persistence methods Symantec described.

Why the Outlook mailbox trick matters

The most important technical detail is the use of Microsoft Graph for mailbox access. Microsoft’s own documentation says Graph can access a user’s Outlook mail data, mail folders, and messages with the right permissions, which makes it a powerful legitimate platform and, in the wrong hands, a useful place to hide malicious traffic.

Symantec says the backdoor contains hardcoded Azure AD credentials in plain text, including a tenant ID, client ID, and client secret. With those, the malware requests OAuth2 tokens and begins interacting with an Outlook mailbox folder named “Zomato Pizza.”

The implant reportedly checks that folder every two seconds for emails whose subject starts with “Input.” It decrypts the AES-CBC and base64-wrapped content, runs the command locally through /bin/bash, and then replies with the results in a message whose subject starts with “Output.”

How the malware covers its tracks

After executing a command, the malware tries to remove the original email. Symantec says it issues an HTTP DELETE request through Microsoft Graph to wipe the instruction message after processing it.

Microsoft’s documentation confirms that Graph supports deleting messages through the mail API, and that apps with Mail.ReadWrite permissions can delete messages from a mailbox. Microsoft also documents a permanent delete action for messages, showing how mailbox content can be removed through legitimate API operations once an app has sufficient access.

This is what makes the technique so useful for stealth. The malware does not need a custom domain or noisy beaconing pattern if it can hide inside trusted Microsoft cloud traffic and erase parts of its own command trail afterward. That final sentence is an inference based on Symantec’s reported workflow and Microsoft’s Graph mail capabilities.

What defenders should look for

Organizations with Linux systems should review ~/.config/systemd/user/ and XDG autostart entries for unfamiliar services, especially anything pretending to be Conky or another common desktop utility. Symantec specifically highlighted those persistence locations in this campaign.

Security teams should also watch for OAuth2 token requests and Microsoft Graph mailbox activity from Linux endpoints that do not normally interact with Outlook mail APIs. That hunting advice follows directly from Symantec’s findings and Microsoft’s documentation on how Graph mail access works.

Another high-value indicator is the presence of disguised ELF binaries in user-accessible directories, especially files that look like PDFs but execute as Linux binaries. Symantec says that lure format formed the initial stage of the attack.

Quick facts

Item	Details
Malware	Linux GoGra backdoor
Threat actor	Harvester
Main abuse method	Microsoft Graph API plus Outlook mailbox communications
Reported mailbox folder	“Zomato Pizza”
Command subjects	“Input”
Response subjects	“Output”
Persistence	systemd user unit and XDG autostart
Disguise used	Conky-like service name and PDF-looking ELF lures

How to reduce risk

• Audit Linux user-level persistence locations, especially ~/.config/systemd/user/ and XDG autostart entries. Symantec points to both as part of the infection chain.
• Restrict or closely monitor unknown Azure AD application credentials and unexpected OAuth2 token requests from Linux machines. The malware relies on hardcoded app credentials to reach Microsoft cloud services.
• Investigate Linux endpoints that suddenly start talking to Outlook mailbox APIs through Microsoft Graph. Microsoft documents these API paths as normal mail operations, which means defenders need behavior-based monitoring here.
• Flag executables masquerading as document files, especially ELF binaries with fake extensions or misleading filenames. Symantec says this campaign used document-themed lures for initial access.
• Hunt for suspicious mailbox deletions tied to app identities with Mail.ReadWrite access. Microsoft confirms Graph supports mailbox message deletion, and Symantec says the malware deletes command emails after use.

FAQ