New GoGra malware for Linux uses Microsoft Graph API for comms

Published:

22 april 2026 om 10:00:00

Alert date:

22 april 2026 om 11:01:33

Source:

bleepingcomputer.com

Operating Systems, Ransomware & Malware, Cloud & Virtualization, Email & Messaging

A new Linux variant of the GoGra backdoor malware has been discovered that uses legitimate Microsoft infrastructure for command and control communications. The malware leverages Microsoft Graph API and relies on an Outlook inbox for stealthy payload delivery, making detection more difficult as it blends with legitimate network traffic. This represents an evolution in malware tactics where threat actors abuse trusted cloud services to avoid detection by security tools.

Technical details

The GoGra backdoor for Linux uses hardcoded Azure Active Directory credentials to authenticate to Microsoft's cloud and obtain OAuth2 tokens to interact with Outlook mailboxes via Microsoft Graph API. A Go-based malware dropper deploys an i386 payload, establishing persistence via 'systemd' and XDG autostart entry posing as Conky system monitor. The malware checks every two seconds an Outlook mailbox folder named 'Zomato Pizza', uses OData queries to identify emails with subject lines beginning with 'Input', decrypts base64-encoded and AES-CBC-encrypted contents, executes commands locally, and returns results via reply emails with subject 'Output'. It removes original command emails using HTTP DELETE requests to reduce forensic visibility.

Mitigation steps:

Monitor for unusual Outlook API access patterns, detect ELF binaries disguised as PDF files, watch for suspicious systemd and XDG autostart entries, and implement monitoring for Microsoft Graph API authentication anomalies

Affected products:

Linux
Microsoft Graph API
Outlook
Azure Active Directory
systemd
Conky system monitor