Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Impreza AI
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusWHOISAffiliatesJobsAbout us
Contact
Submit TicketSend an EmailTelegramReport Abuse
Take a look!
HOMEDOMAINS
CONTACT
Questions? Our AI can help you out!
Impreza AI
AI Support Assistant
Online — 24/7
1
Login
Sign InCreate an Account
No Comments

New Linux Malware Hides in Fake PDF Files by Using Outlook Inbox

Featured Image of Impreza's Character, Jake, with Linux for Impreza News, made by Impreza Team, 2026

A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery.

Moreover, Harvester, an espionage group believed to be state-backed, develops the malware and leverages the Microsoft Graph API to access mailbox data, which makes it highly evasive.

Furthermore, Harvester has operated since at least 2021 and uses custom malicious tools, such as backdoors and loaders, in campaigns targeting telecommunications, government, and IT organizations in South Asia.

Initial Access Through Disguised Payloads

Meanwhile, Symantec researchers analyzed samples of the new Linux GoGra backdoor retrieved from VirusTotal and found that attackers gain initial access by tricking victims into executing ELF binaries disguised as PDF files.

In a report today, Symantec researchers say that the Linux version of the GoGra backdoor uses hardcoded Azure Active Directory (AD) credentials to authenticate to Microsoft’s cloud and obtain OAuth2 tokens. Consequently, it interacts with Outlook mailboxes via the Microsoft Graph API.

At the initial stage of the attack, a Go-based malware dropper deploys an i386 payload, establishes persistence via systemd, and creates an XDG autostart entry posing as the legitimate Conky system monitor for Linux and BSD.

Command-and-Control via Outlook Inbox

According to the researchers, the malware checks every two seconds an Outlook mailbox folder named “Zomato Pizza.” Additionally, it uses OData queries to identify incoming emails with subject lines beginning with “Input.”

Next, the malware decrypts the base64-encoded and AES-CBC-encrypted contents of these messages and executes the resulting commands locally.

Afterward, it AES-encrypts execution results and returns them to the operator via reply emails with the subject “Output.”

To reduce forensic visibility, the malware issues an HTTP DELETE request to remove the original command email after processing it.

Code Similarities and Attribution

Notably, Symantec highlights that the Linux variant of GoGra shares a nearly identical codebase with the Windows version of the malware, including the same typos in strings and function names, as well as the same AES key.

Therefore, this strongly suggests that the same developer created both pieces of malware, pointing to the Harvester threat group.

Finally, Symantec sees the emergence of a Linux GoGra variant as an indication that Harvester is expanding its toolset and targeting scope to tap into a broader range of systems.

 

Source: BleepingComputer,

Read more at Impreza News

You might also like
Linux, Malware, News
Linux, Malware, News

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.