Attack Mechanism
A Linux backdoor named GoGra is targeting healthcare organizations in South Asia, abusing Microsoft Graph API to exfiltrate patient data and evade detection. Hospital IT teams must review cloud API logs and enforce multi factor authentication.
Healthcare Impact
A threat actor known as Harvester is actively deploying a Linux backdoor named GoGra across healthcare organizations, with a focus on hospitals and medical research facilities. This campaign leverages a Go based implant that communicates with attacker infrastructure through the legitimate Microsoft Graph API, blending malicious traffic with normal Office 365 activity. For hospital IT teams and healthcare CISOs, this means traditional network monitoring tools and firewall rules may fail to detect the threat. GoGra uses OAuth 2.0 tokens to authenticate with Microsoft Graph, enabling it to read, write, and exfiltrate sensitive patient data from email and OneDrive accounts used for clinical communications, medical imaging, and research data. The backdoor establishes persistence on compromised Linux systems (common in medical device controllers, imaging servers, and research workstations) by masquerading as a systemd service or cron job. It supports file uploads, command execution, and lateral movement to electronic health record (EHR) systems. No specific CVEs have been publicly associated with this campaign (link: https://cve.org), as the attack relies on credential theft and social engineering rather than software vulnerabilities. For medical device security professionals, this underscores the risk of Linux based devices exposed to cloud API abuse. Healthcare CISOs should review logs for unusual API calls to graph.microsoft.com, monitor for unexpected service files in /etc/systemd/system, implement conditional access policies to restrict Graph API usage to known device IDs, and enforce multi factor authentication for all service principals. The use of legitimate cloud APIs for command and control is a growing trend that requires advanced behavioral detection rather than signature based tools. Source: The Hacker News.
Source: https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html
