EXECUTIVE SUMMARY
A newly identified Linux malware named GoGra has been observed leveraging the Microsoft Graph API for command-and-control (C2) communications, enabling stealthy interaction with attacker infrastructure. By abusing a legitimate cloud service, the malware blends malicious traffic with normal enterprise activity, making detection significantly more challenging.
The malware targets Linux environments and uses API-based communication channels to evade traditional network security controls. This campaign highlights a growing trend where threat actors leverage trusted cloud platforms for covert operations and persistence.
- Active Region: Global
- Affected Sector: Enterprises, Cloud Environments, Linux Infrastructure
- Affected Product: Linux OS, Microsoft Graph API Ecosystem, Cloud-Integrated Linux Environments
- Severity: High
- Published Date: April 22, 2026
TECHNICAL DETAILS
- Command-and-Control (C2): The malware communicates with attacker infrastructure via the Microsoft Graph API, enabling encrypted and legitimate-looking traffic that bypasses traditional detection mechanisms.
- Execution Mechanism: Once deployed, GoGra executes payloads and commands received through API responses, allowing attackers to control compromised systems remotely.
- Persistence Technique: The malware establishes persistence through scheduled tasks, startup scripts, or modification of system services to ensure continued……
