top of page
perceptive_background_267k.jpg

New GoGra malware for Linux uses Microsoft Graph API for comms

Published:

22 April 2026 at 10:00:00

Alert date:

22 April 2026 at 11:01:33

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Cloud & Virtualization, Email & Messaging

A new Linux variant of the GoGra backdoor malware has been discovered that uses legitimate Microsoft infrastructure for command and control communications. The malware leverages Microsoft Graph API and relies on an Outlook inbox for stealthy payload delivery, making detection more difficult as it blends with legitimate network traffic. This represents an evolution in malware tactics where threat actors abuse trusted cloud services to avoid detection by security tools.

Technical details

The GoGra backdoor for Linux uses hardcoded Azure Active Directory credentials to authenticate to Microsoft's cloud and obtain OAuth2 tokens to interact with Outlook mailboxes via Microsoft Graph API. A Go-based malware dropper deploys an i386 payload, establishing persistence via 'systemd' and XDG autostart entry posing as Conky system monitor. The malware checks every two seconds an Outlook mailbox folder named 'Zomato Pizza', uses OData queries to identify emails with subject lines beginning with 'Input', decrypts base64-encoded and AES-CBC-encrypted contents, executes commands locally, and returns results via reply emails with subject 'Output'. It removes original command emails using HTTP DELETE requests to reduce forensic visibility.

Mitigation steps:

Monitor for unusual Outlook API access patterns, detect ELF binaries disguised as PDF files, watch for suspicious systemd and XDG autostart entries, and implement monitoring for Microsoft Graph API authentication anomalies

Affected products:

Linux
Microsoft Graph API
Outlook
Azure Active Directory
systemd
Conky system monitor

Related links:

https://www.bleepingcomputer.com/news/security/state-backed-hackers-breach-telcos-with-custom-malware/

Related CVE's:

Related threat actors:

IOC's:

Outlook mailbox folder named 'Zomato Pizza', Email subjects beginning with 'Input', Email subjects with 'Output', ELF binaries disguised as PDF files, XDG autostart entry posing as Conky system monitor

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page