Plague: A Newly Discovered PAM-Based Backdoor for Linux

by
janrinok
from SoylentNews on (#6Z5FP)

An Anonymous Coward writes:

https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

As part of our ongoing threat hunting efforts, we identified a stealthy Linux backdoor that appears to have gone publicly unnoticed so far. We named it Plague. The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.

What caught our attention: although several variants of this backdoor have been uploaded to VirusTotal over the past year, not a single antivirus engine flags them as malicious (see screenshot). To our knowledge, there are no public reports or detection rules available for this threat, suggesting that it has quietly evaded detection across multiple environments. [...]

This malware features anti-debugging capabilities to thwart analysis and reverse engineering attempts, string obfuscation to make detection more difficult, hardcoded passwords for covert access, as well as the ability to hide session artifacts that would normally reveal the attacker's activity on infected devices.

Once loaded, it will also scrub the runtime environment of any traces of malicious activity by unsetting SSH-related environment variables and redirecting command history to /dev/null to prevent logging, eliminating audit trails and login metadata, and erasing the attacker's digital footprint from system history logs and interactive sessions.

"Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools," threat researcher Pierre-Henri Pezier said.

"The malware actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging."

While analyzing the malware, the researchers also discovered compilation artifacts indicating active development over an extended period, with samples compiled using various GCC versions across different Linux distributions.

Article continues @: https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
Article archived @: https://archive.ph/gzh9Z
Article referenced @: https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors-linux-devices-removes-ssh-session-traces/

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments