Cybersecurity researchers have uncovered a sophisticated Linux backdoor named PamDOORa that leverages Pluggable Authentication Modules (PAM) to establish persistent SSH access and harvest credentials. Marketed on Russian cybercrime forums for $900, this post-exploitation toolkit represents an evolution in Linux malware techniques by combining multiple attack methods with anti-forensic capabilities.
Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $900 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access through a magic password and specific TCP port combination. More concerning, it can harvest credentials from all legitimate users who authenticate through the compromised system.
"The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH," Flare.io researcher Assaf Morag said in a technical report. "Allegedly this would remain persistent on Linux systems (x86_64)."
PamDOORa is the second Linux backdoor targeting the PAM stack after Plague. PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications.
Because PAM modules typically run with root privileges, a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access.
"Despite its strengths, the Pluggable Authentication Module's (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext," Group-IB noted in September 2024. "The pam_exec module, which allows the execution of external commands, can be exploited by attackers to gain unauthorized access or establish persistent control by injecting malicious scripts into PAM configuration files."
The Singaporean security vendor also detailed how it's possible to manipulate PAM configuration for SSH authentication to execute a script via pam_exec, effectively allowing a bad actor to obtain a privileged shell on a host and facilitate stealthy persistence.
The latest findings from Flare.io show that PamDOORa, besides enabling credential theft, incorporates anti-forensic capabilities to methodically tamper with authentication logs to erase traces of malicious activity. Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely to involve the adversary first obtaining root access to the host through some other means and deploying the PamDOORa PAM module to capture credentials and establish persistent access over SSH.
After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.
"PamDOORa represents an evolution over existing open-source PAM backdoors," Morag explained. "While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories."
Detection and Prevention
For system administrators concerned about this threat, several defensive measures can be implemented:
Monitor PAM Configuration Changes: Regularly audit files in
/etc/pam.d/for unauthorized modifications, especially unexpected entries in thesshdconfiguration.Log Analysis: Check authentication logs for anomalies, such as failed login attempts followed by successful ones from unusual locations, or log entries that appear to have been tampered with.
Network Monitoring: Implement network segmentation and monitoring to detect suspicious connections, particularly to unusual ports that might be used by the backdoor.
File Integrity Monitoring: Use tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire to detect unauthorized changes to critical system files, including PAM modules.
Principle of Least Privilege: Ensure that users and processes operate with the minimum necessary privileges to reduce the potential impact of a compromise.
Technical Analysis
PamDOORa operates by replacing or modifying legitimate PAM modules to intercept authentication data. When a user attempts to authenticate via SSH, the modified module captures the credentials before passing them to the legitimate authentication process. This allows the attacker to collect valid credentials while maintaining normal system functionality.
The backdoor's persistence mechanism is particularly concerning. By integrating directly with the PAM framework, it can survive system reboots and remain active even if the original entry point is discovered and removed. The anti-forensic capabilities further complicate detection by systematically cleaning authentication logs to hide evidence of malicious activity.
Broader Implications
The emergence of PamDOORa highlights a concerning trend in Linux malware development. As defenders improve detection capabilities for traditional attack vectors, threat actors are increasingly targeting fundamental system components that are often overlooked during security assessments.
The PAM framework, while providing valuable flexibility in authentication mechanisms, represents a single point of failure that, if compromised, can undermine the entire security posture of a Linux system. This attack vector is particularly dangerous because it operates at a level below most security monitoring tools, which typically focus on user-space applications rather than system-level authentication mechanisms.
As Linux systems become more prevalent in enterprise environments, securing these fundamental components becomes increasingly critical. Organizations should consider implementing layered security approaches that include both traditional endpoint protection and deeper system-level monitoring to detect sophisticated threats like PamDOORa.
Comments
Please log in or register to join the discussion