The Quick Rundown
Here’s what you need to know fast. Plague is a PAM-based backdoor that slipped past all 66 antivirus engines on VirusTotal for more than a year. Discovered by Nextron Systems. PamDOORa? That’s a commercial PAM backdoor sold on Russian cybercrime forums. Price tag ranges from $900 to $1,600. It harvests credentials and cleans up forensic traces. Both target Linux’s Pluggable Authentication Modules. They bypass SSH authentication and steal login details right from legitimate users. Traditional antivirus tools are basically blind to these threats. To catch them, you need YARA rules, behavioral analysis, and proactive hunting. Hardening your PAM setups, enabling MFA for SSH, and regularly auditing your authentication modules? That’s your frontline defense.
What Even Are PAM Backdoors?
So, Pluggable Authentication Modules. They’re the backbone of Linux auth. Instead of every app having its own login code, PAM uses a modular system. You’ve got config files in /etc/pam.d/ that tell SSH, sudo, login, whatever—how to handle authentication. The real work happens in shared libraries, the pam_*.so modules loaded into privileged processes. See the problem yet? If an attacker gets root and injects a malicious PAM module, they can do whatever they want. Bypass authentication entirely with a hardcoded password. Capture credentials from every user who logs in. Erase all evidence they were ever there. Survive reboots and updates. That’s exactly what Plague and PamDOORa do. They don’t exploit bugs in the traditional sense.Still abuse the trust model PAM is built on.
How Plague Actually Works
Researchers at Nextron Systems found Plague in August 2025. But the evidence says it’s been active since at least July 2024. Multiple samples hit VirusTotal over that year. Not one engine flagged them. Zero out of sixty-six detections. Let that sink in. The backdoor pretends to be a legit PAM module. Often named libselinux.so.8 to blend right in. Once loaded, it gives persistent SSH access through static passwords. Researchers pulled passwords like Mvi4Odm6tld7 and IpV57KNK32Ih from samples. What makes Plague really hard to crack? It uses three layers of string obfuscation. First, XOR encryption. Then something like RC4. Finally, a deterministic random bit generator. It’s layered like an onion. And it’s careful. The backdoor cleans up after itself. It unsets SSH_CONNECTION and SSH_CLIENT variables. Redirects command history to /dev/null. Checks its own filename against what it expects before running. If it smells a debugger or a sandbox? It just doesn’t run. Pierre-Henri Pezier from Nextron put it well: “Plague integrates deeply into the authentication stack. It survives system updates. Leaves almost no forensic traces.”
PamDOORa: The Off-the-Shelf Menace
While Plague feels like a custom job, PamDOORa is something else. It’s a commercial product. Sold on Russian cybercrime forums. Originally priced at $1,600, it’s now going for $900. Maybe demand is low.Yet the seller’s just eager. Either way, it’s out there. PamDOORa targets x86_64 Linux systems. It offers a menu of malicious capabilities. Network-aware backdoor access through specific TCP ports and magic passwords. Credential harvesting from every user who authenticates through the compromised machine. It manipulates login logs to hide its tracks. Stores stolen credentials in XOR-encrypted files under /tmp with random filenames. One detail that really gets you: if an incident response team connects to investigate, their credentials might be stolen too. And their access silently wiped from the logs. Chilling, right?
Why Your Antivirus Doesn’t Care
Both backdoors expose a big gap in how security tools work. Antivirus scans for known signatures, suspicious behaviors, weird file patterns. PAM backdoors don’t trigger those checks. Why? They’re loaded as legitimate modules. They don’t phone home or spawn shady processes. String obfuscation beats signature scanning. Anti-debugging tricks stop sandbox analysis. Earlier Nextron research showed you can build a functional PAM implant in about 100 lines of code. Small attack surface. Deep integration. Tiny forensic footprint.
How to Actually Find These Things
Detection means moving past traditional antivirus. Here’s what works. YARA Rules: Nextron published rules targeting Plague’s binaries. They hunt for strings like decrypt_phrase and init_phrases in small ELF files. File integrity monitoring: Compare your PAM modules against known-good hashes. Any change to /lib/security/, /lib/x86_64-linux-gnu/security/, or /etc/pam.d/ should set off alarms. Behavioral analysis: Tools like THOR from Nextron can spot PAM module anomalies that signature tools miss entirely. --- ## Hardening Your Linux. Boxes Prevention beats detection. Always. Here’s how to make PAM backdoor operators miserable. 1. Lock down root access. PAM backdoors need root to install. Limit who has sudo. Audit how people escalate privileges. 2. Turn on MFA for SSH. Password-only auth is a gift to credential thieves. Use public key authentication with a second factor. 3. Audit PAM configs regularly. Compare /etc/pam.d/ files and loaded modules against a baseline. Automate it. 4. Send authentication logs elsewhere. Ship them to a SIEM attackers can’t touch. Missing logs are a massive red flag. 5. Monitor file integrity. Use tools like AIDE or Tripwire. Catch unauthorized changes to PAM modules before they load. 6. Patch your systems. PAM backdoors don’t need specific CVEs, but reducing initial access limits an attacker’s ability to deploy them.
The Bigger Picture
The rise of Plague and PamDOORa signals a shift. Attackers are targeting Linux infrastructure at the authentication layer. Not just applications. This gives them persistence, stealth, and access to every credential moving through the system. For anyone running Linux servers—especially internet-facing ones—the message is clear. Your authentication stack deserves the same scrutiny as your network perimeter. Maybe even more. If you’re running SSH, now’s the time. Audit your PAM configurations. Check what modules are loaded. Verify their integrity. Make sure your detection goes beyond traditional antivirus. Have you audited your PAM configs lately? Found anything weird? Drop a comment—I’d love to hear what you’re seeing out there.
Sources:
- [Plague. A Newly Discovered PAM-Based Backdoor for Linux - Nextron Systems]
- [PamDOORa. Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web - Flare]
- New 'Plague' PAM Backdoor Exposes Critical Linux Systems - The Hacker News
- Plague. A Stealthy PAM-Based Backdoor Targeting Linux Systems - LinuxSecurity
- New Linux backdoor Plague bypasses auth via malicious PAM module - SecurityAffairs
- Stealth in 100 Lines. Analyzing PAM Backdoors in Linux - Nextron Systems
- When PAM Goes Rogue: Malware Uses Authentication Modules for Credential Harvesting - Palo Alto Unit 42
