Home Analysis Harvester APT: South Asia Espionage Expands to Linux With Graph API Command-and-Control
Deep Dive high CommunicationsCritical Infrastructure

Harvester APT: South Asia Espionage Expands to Linux With Graph API Command-and-Control

Adversary Wire · ·10 min read

Executive Summary

The Harvester threat group has been conducting targeted espionage operations against government, telecommunications, and information technology entities in South Asia since at least mid-2021. In April 2026, Symantec’s Threat Hunter Team documented a significant capability expansion: a Linux version of the group’s GoGra backdoor, identified through samples uploaded to VirusTotal from India and Afghanistan. The malware routes command-and-control traffic through a hardcoded Microsoft Outlook mailbox using the Microsoft Graph API, a technique that bypasses traditional network monitoring by blending operator communications with legitimate cloud service traffic.

Harvester is assessed as nation-state backed based on the sophistication of its custom tooling, the sustained operational tempo across multiple years, and the strategic nature of its targeting — primarily government ministries, telecommunications operators, and technology firms in a geopolitically contested region. No public attribution to a specific state has been made by the analysing vendor. The group’s continued investment in platform diversity and C2 evasion indicates a well-resourced actor with no operational pressure to cease activity.

Threat Actor Profile

Harvester was first publicly documented by Symantec in November 2021, following the identification of an intrusion campaign targeting entities in Afghanistan, with additional victims in India. The initial campaigns dated back to at least June 2021 — coinciding with the final months of NATO’s presence in Afghanistan — and targeted telecommunications providers, IT companies, and government ministries. The overlapping timing with a period of heightened intelligence interest in Afghan communications infrastructure has been noted by analysts, though it does not constrain attribution.

The group is characterised by the use of both bespoke and publicly available tools. Its initial toolkit centred on a custom Windows backdoor — Backdoor.Graphon — alongside downloaders and screenshot utilities providing persistent remote access and data exfiltration capability. The Graphon name reflects its principal design feature: C2 communication routed through the Microsoft Graph API, using a legitimate Microsoft cloud service as a covert relay. This approach predates several other threat actors’ adoption of the same technique and indicates that Harvester was ahead of a broader industry shift toward cloud-service-based C2.

By August 2024, researchers identified a new custom malware family — GoGra, written in Go — used against a media organisation in South Asia. The Windows variant of GoGra retained the Outlook C2 concept from Graphon but represented a ground-up rewrite in a cross-platform language, suggesting planned expansion to non-Windows targets.

In April 2026, that expansion materialised. A Linux-native GoGra variant was identified, sharing hardcoded infrastructure and development fingerprints — including specific spelling errors — with the Windows version, confirming common authorship. The Linux variant extends Harvester’s operational reach to the server and infrastructure environments that typically run Linux-based operating systems, including email servers, web infrastructure, and telecommunications back-end systems.

Technical Mechanism: GoGra Linux Backdoor

Command-and-Control via Microsoft Graph API

The defining characteristic of GoGra — on both Windows and Linux — is its use of the Microsoft Graph API to communicate with a hardcoded Microsoft Outlook mailbox used as a covert C2 channel.

The mechanism works as follows:

  1. Authentication: The implant authenticates to the Microsoft Graph API using a hardcoded application registration (client ID, client secret, and tenant ID). The actor creates a legitimate Microsoft Entra ID (formerly Azure AD) application that is authorised to access a specific Outlook mailbox.

  2. Polling: GoGra Linux polls a specific mailbox folder — identified in reported samples as “Zomato Pizza” — every two seconds using OData queries via the Graph API. Operator commands are placed in this folder as email drafts or messages.

  3. Command execution: Retrieved content is decoded and executed on the compromised host. Output is returned to the operator by writing to another mailbox folder.

  4. Traffic profile: All C2 traffic appears as HTTPS connections to graph.microsoft.com — an endpoint that is explicitly trusted and often excluded from deep inspection by enterprise security tools, firewalls, and web proxies.

This approach exploits a fundamental tension in enterprise security: the need to trust Microsoft’s cloud infrastructure for legitimate business operations creates a blind spot that sophisticated actors have learned to exploit. Unlike traditional C2 over unknown domains or IP addresses, Graph API traffic has an inherent legitimacy that suppresses analyst suspicion and defeats domain-reputation-based blocking.

Delivery and Initial Compromise

Observed delivery mechanisms involve social engineering. Victims have been tricked into executing ELF binaries (on Linux) or PE executables (on Windows) that are presented as PDF documents, a technique relying on filename manipulation and icon spoofing. The initial execution typically installs GoGra alongside a decoy document to maintain the appearance of a legitimate file opening.

Specific initial access vectors beyond the delivery lure have not been publicly disclosed, but the targeting pattern — specific high-value organisations in defined geographies — suggests spearphishing with carefully crafted pretexts rather than opportunistic mass distribution.

Cross-Platform Consistency

Analysis by Symantec’s Threat Hunter Team identified multiple code-level indicators linking the Linux and Windows GoGra variants to a common developer, including identical hardcoded strings and matching typographical errors in internal variable names. This is significant because it indicates Harvester is not purchasing off-the-shelf implants but maintaining an in-house malware development operation capable of producing platform-consistent tooling — a capability associated with mature, well-resourced threat groups.

Targeting and Victim Sectors

Harvester’s documented targeting has been geographically and sectorally consistent across five years of activity:

Geography: Primary targeting in India and Afghanistan, with additional activity reported in the broader South Asia region. The concentration on these two countries — which share a contested border and a complex intelligence relationship — suggests a strategic intelligence collection requirement rather than opportunistic access.

Telecommunications: Mobile and fixed-line operators in South Asia have been consistent targets. Telecom infrastructure access provides persistent visibility into communications metadata and, depending on depth of compromise, content — a high-value collection priority for any state intelligence programme.

Government ministries: Defence, foreign affairs, and interior ministries have featured in documented Harvester intrusions. Access to these targets yields policy documents, personnel files, and diplomatic communications.

Technology sector: IT firms and managed service providers in the region provide supply chain access to multiple downstream government and private sector clients — a targeting rationale consistent with other documented South Asian espionage groups.

The 2026 Linux capability expansion suggests an intent to target server infrastructure beyond Windows endpoints, including Linux-based telecommunications back-end systems, mail servers, and network infrastructure that are typically less monitored by endpoint detection tools than corporate Windows environments.

Historical Incidents and Impact

2021 Afghanistan/India campaign (documented by Symantec): The initial public exposure of Harvester covered intrusions into telecommunications, IT, and government entities, with confirmed victims in Afghanistan and India. The campaign was active during the period surrounding the NATO withdrawal from Afghanistan — a period of heightened intelligence interest in Afghan government communications. Graphon implants were deployed alongside screenshot utilities and remote access tools, enabling sustained low-profile surveillance.

2024 South Asian media organisation (documented by Symantec): A media entity in South Asia was targeted with the Windows GoGra variant — the first public identification of the Go-based replacement for Graphon. The targeting of a media organisation is notable: journalists, editors, and their source networks represent intelligence collection targets for governments seeking to understand and control information flows about sensitive operations or personnel.

2026 Linux campaign (documented by Symantec): The identification of GoGra Linux samples originating from India and Afghanistan extends the pattern to a new platform. The fact that samples reached VirusTotal suggests either detection of an active intrusion or interception of the delivery mechanism before execution, but the existence of the capability indicates active operational deployment is likely or underway.

Defensive Implications

Detection priority: Microsoft Graph API anomalies

Security operations teams covering environments with Harvester exposure risk should treat Microsoft Graph API usage as a detection surface. Specific indicators include:

  • Processes making Graph API calls (https://graph.microsoft.com) that are not known Microsoft products or managed enterprise applications. On Linux, legitimate Graph API callers are limited — email clients (Evolution, Thunderbird with O365 plugins) and specific enterprise software. Unfamiliar ELF binaries initiating Graph API connections should be flagged as high-priority.
  • Polling behaviour: Legitimate users do not poll a Graph API endpoint every two seconds. Automated, high-frequency queries to graph.microsoft.com/v1.0/me/mailFolders or message endpoints are a strong indicator of C2 beaconing.
  • Authentication events in Microsoft Entra ID audit logs showing application access from unusual IP geographies or unusual user-agent strings are a secondary detection path, as the GoGra implant must authenticate to the Graph API before accessing the Outlook mailbox.

Microsoft Entra ID audit

Organisations should audit their Entra ID tenant for registered applications with Mail.ReadWrite or Mail.Read permissions that are not owned by known teams. Threat actors create Entra app registrations as part of infrastructure setup; identifying these registrations before or during an intrusion allows defenders to terminate C2 connectivity by revoking the application or rotating credentials.

Linux endpoint visibility

Harvester’s expansion to Linux highlights a coverage gap in many enterprise security programmes. Linux servers in telecommunications and government environments — even those not directly facing users — require endpoint detection capability. Key monitoring requirements: process execution telemetry, network connection logging (especially outbound HTTPS), and file execution events for binaries that are not part of managed software inventories.

ELF binary delivery via social engineering

Training and technical controls should address the delivery mechanism: ELF binaries presented as PDF files. Linux environments should enforce non-executable policies on user-writeable directories (downloads, home directories) and use application control where feasible. Desktop environments should be configured to display true file extensions rather than relying on icons.

Context: The Cloud C2 Trend

Harvester is one of several nation-state threat actors that have adopted legitimate cloud services as C2 channels to evade perimeter detection. The broader trend — sometimes termed “living off trusted services” — encompasses Microsoft Graph API (Harvester, BirdyClient, APT28 variants), OneDrive, Google Drive, Slack, Dropbox, and GitHub as C2 relays. The common thread is that these services:

  1. Are essential to business operations and cannot be blocked
  2. Carry HTTPS traffic that is trusted by web proxies
  3. Are excluded from SSL inspection by many organisations due to privacy and performance concerns
  4. Have reputation scores that suppress alert triage

Defenders should assume that any external cloud service used for business purposes is also a potential C2 channel for sophisticated threat actors. Anomaly detection on cloud service access — rather than domain-reputation-based blocking — is the appropriate response, focusing on authentication source, call frequency, and the identity of the initiating process.

Harvester’s five-year operational continuity and consistent evolution of tradecraft mark it as a persistent, patient actor unlikely to abandon South Asian espionage operations. The 2026 Linux expansion should be read as a maturation of capability, not a change in direction.

Sources

Related Intelligence

Briefing Finance

Android Zero-Day Exploitation Confirmed: June 2026 Bulletin Signals Commercial Spyware Activity

Briefing Finance

Operation Dragon Weave: China-Linked APT Abuses Azure Blob Storage as C2 to Target European Governments and Finance

Briefing Finance

CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation — CISA Deadline Today