What if the command to steal your files wasn't coming from some dark corner of the internet — but from a perfectly legitimate Outlook inbox, routed through Microsoft's own cloud infrastructure?
On April 22, 2026, Broadcom Symantec researchers dropped a report that reads like a cyberpunk fever dream: a Linux backdoor that doesn't just hide from your firewall — it becomes your firewall's blind spot by using Microsoft's Graph API as its command-and-control channel. No suspicious outbound connections. No rogue domains. Just polite, encrypted queries to outlook.com, asking if there are any new emails in the "Zomato Pizza" folder.
Meet GoGra: The Backdoor That Orders Takeout
The malware, dubbed GoGra, is the handiwork of Harvester — a cyberespionage group believed to be state-sponsored, active since at least 2021, and known for targeting telecommunications, government, and IT organizations across South Asia. Until now, Harvester's toolkit was Windows-centric. GoGra marks their expansion into Linux environments — and it's not a clumsy port. It's a refined, cross-platform evolution.
Here's the kicker: GoGra doesn't rely on zero-days, exotic exploits, or even particularly clever social engineering. It simply abuses the trust you've already given Microsoft.
The Attack Chain: From Fake PDF to Full Compromise
The infection starts innocuously enough. Victims are tricked into executing ELF binaries disguised as PDF files. Once inside, a Go-based dropper deploys an i386 payload and establishes persistence through two mechanisms:
- A
systemdservice entry - An XDG autostart entry posing as Conky — a legitimate Linux system monitor
From there, things get interesting.
The Ingenious C2: Outlook as Your Puppet Master
GoGra uses hardcoded Azure AD credentials to authenticate with Microsoft's cloud, obtaining OAuth2 tokens that grant it access to Outlook mailboxes via the Microsoft Graph API. The malware polls a specific mailbox folder — charmingly named "Zomato Pizza" — every two seconds using OData queries.
When it finds an email with a subject starting with "Input," it:
- Decrypts the base64-wrapped, AES-CBC-encrypted message body
- Executes the payload via
/bin/bash -c - Encrypts the results with AES
- Replies with an email subject "Output" containing the encrypted results
- Issues an HTTP DELETE to remove the original command email — wiping the evidence
Think about that for a moment. Your firewall sees traffic to graph.microsoft.com and outlook.com — both whitelisted, both trusted. Your EDR sees encrypted HTTPS. Your SIEM sees... well, someone checking their email. A lot.
Why This Is Brilliant (And Terrifying)
This technique exploits a fundamental weakness in modern security architecture: we trust cloud providers implicitly. Your firewall rules, your proxy configurations, your DLP policies — they all assume Microsoft traffic is "good." After all, your organization pays for Microsoft 365. Blocking Graph API traffic would break Teams, Outlook, SharePoint, and half your productivity stack.
GoGra weaponizes that trust. It doesn't just hide in plain sight — it hides in sight you've explicitly declared safe.
And the naming convention? "Zomato Pizza" and its Windows predecessor "Dragan Dash" (a real Hyderabad restaurant, according to Symantec) aren't just cute Easter eggs — they're operational tradecraft. Innocuous folder names that wouldn't raise eyebrows in any manual audit.
The Bigger Picture: Living Off the Trusted Land
GoGra is part of a disturbing 2026 trend: malware that "lives off the land" of trusted cloud infrastructure. We've seen supply chain attacks through npm, OAuth phishing via Microsoft device codes, and now C2 through legitimate Microsoft Graph API access.
The pattern is clear: the perimeter is dead, and attackers are moving into the cloud services we can't block.
Detection & Defense: Can You Spot a Pizza Order That Isn't?
Detecting GoGra requires shifting from "block bad traffic" to "question good traffic that behaves oddly." Here's what to watch for:
- Anomalous Graph API activity: OAuth tokens from unknown devices or unusual geolocations accessing mailboxes via Graph API
- Mailbox behavior: Automated polling at rigid intervals (every 2 seconds), especially for specific folders with unusual names
- Email patterns: Incoming messages with subjects like "Input" and outgoing replies with "Output" — especially if encrypted or base64-encoded
- Persistence artifacts: Fake systemd services or XDG autostart entries masquerading as legitimate system tools like Conky
- File execution: ELF binaries with PDF icons or extensions being launched by users
But the real defense is architectural: assume your cloud credentials can be compromised, implement OAuth token rotation, monitor Graph API scope usage, and — most importantly — stop trusting traffic just because it goes to a ".microsoft.com" domain.
The Prank Nobody Saw Coming
There's something almost darkly comic about a nation-state backdoor named after food delivery services. "Zomato Pizza" isn't just a folder name — it's a reminder that the most sophisticated espionage operations now hide behind the mundane, the everyday, the "of course that's legitimate."
Your server isn't just running Linux anymore. It's checking Outlook. Waiting for its next order. And if you're not watching the kitchen closely, you might just find your data has been — to borrow a phrase — delivered.
Sources: Broadcom Symantec Report, BleepingComputer, Security Affairs