Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/Threats/New PamDOORa Linux Backdoor Steals SSH Credentials From Infected Systems
Threats

New PamDOORa Linux Backdoor Steals SSH Credentials From Infected Systems

Key Takeaways A new Linux backdoor, PamDOORa, is actively being sold on Russian cybercrime forums. The malware targets the Pluggable Authentication Module (PAM) framework to stealthily steal SSH...

Emy Elsamnoudy
Emy Elsamnoudy
May 8, 2026 4 Min Read
57 0

Key Takeaways

  • A new Linux backdoor, PamDOORa, is actively being sold on Russian cybercrime forums.
  • The malware targets the Pluggable Authentication Module (PAM) framework to stealthily steal SSH credentials.
  • PamDOORa operates as a post-exploitation tool, requiring root access for deployment, and employs sophisticated anti-forensic techniques to evade detection and erase traces.
  • Detection is challenging as the attack occurs at a low level, often missed by standard monitoring tools.
  • Defenders must implement robust system hardening, enhanced logging, and advanced rootkit detection to mitigate risks.

Linux systems face a significant new threat from PamDOORa, a recently discovered backdoor designed to surreptitiously compromise Secure Shell (SSH) credentials. This sophisticated malware targets one of the operating system’s most fundamental and trusted components: the Pluggable Authentication Module (PAM) framework.

Table Of Content

  • Key Takeaways
  • How PamDOORa Operates on Linux Systems
  • Anti-Forensics and the Challenge of Detection
  • What You Should Do
  • Indicators of Compromise (IoCs)

PamDOORa initially appeared for sale on Rehub, a prominent Russian-speaking cybercrime forum. The complete source code was first advertised at $1,600, a price that quickly dropped to $900. This sudden reduction raised concerns among researchers, suggesting either a lack of demand or a deliberate effort by the seller to offload the tool rapidly. More details on the sale can be found in a Flare blog post.

How PamDOORa Operates on Linux Systems

PamDOORa’s effectiveness stems from its method of hijacking the Pluggable Authentication Module (PAM) framework, which is integral to Linux systems for handling user authentication and identity verification. Unlike typical malware that might appear as a running process, PamDOORa injects a malicious module directly into the authentication layer. Here, it remains dormant, waiting to harvest credentials during login attempts before they are recorded in standard logs. This low-level operation makes it particularly dangerous, as most conventional monitoring tools are not configured to scrutinize this deep within the system.

Researchers from Group-IB identified the specific technique employed by this backdoor, noting its exploitation of pam_exec. This is a legitimate PAM module designed to execute external commands during authentication events. The Group-IB DFIR team highlighted that this abuse method was not previously documented within the MITRE ATT&CK framework, indicating a novel technique that many security teams might not be prepared to defend against. Further insights into PAM exploitation can be found in a Group-IB blog post.

The threat actor behind PamDOORa, operating under the moniker “darkworm” on the Rehub forum, exhibits a deep understanding of Linux internals. Analysis of code snippets shared in the advertisement reveals credible and technically sound methods consistent with known PAM exploitation tactics. This suggests that “darkworm” is a more skilled and serious operator compared to others who might reuse the same alias on less reputable forums, as detailed in Flare’s analysis.

A key concern with PamDOORa is its exceptional stealth. The backdoor is designed to manipulate and erase authentication log files, including lastlog, btmp, utmp, and wtmp, effectively removing any evidence of an attacker’s presence on the server. This anti-forensic capability means that incident response teams investigating a breach could unknowingly have their own credentials compromised the moment they SSH into the infected machine.

PamDOORa functions as a post-exploitation tool, meaning an attacker must first gain root access to the system before deploying it. Once installed, it injects a malicious PAM module that creates a file named pam_linux.so. This file is then loaded into the authentication stack alongside legitimate system modules, allowing it to blend in seamlessly rather than replacing existing files, thereby complicating detection. This mechanism is further elaborated in Flare’s report.

The backdoor establishes persistent SSH access through a combination of a specific TCP port and a secret “magic password” known only to the attacker. A specialized routine monitors open connections, applying conditional logic to identify and grant silent access to the attacker, while legitimate users experience no unusual activity. User credentials submitted during normal logins are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and then written to the /tmp directory using randomly generated filenames and timestamps. This process is also highlighted in Flare’s findings.

Anti-Forensics and the Challenge of Detection

PamDOORa’s advanced anti-forensic capabilities distinguish it from simpler backdoors. It actively purges attacker login records from system logs, often leaving behind only failed login attempts that investigators might dismiss as benign noise. Since credential theft occurs within the PAM layer, application-level logging tools are unable to capture the compromised data, and detection methods focused on user-space processes will completely overlook the attack. This makes comprehensive incident response exceptionally difficult, as noted in Flare’s analysis.

What You Should Do

  • Treat any compromised Linux server as having fully exposed credentials, regardless of the apparent scope of the breach.
  • Enable and configure security enhancements like SELinux and AppArmor to enforce stronger process isolation.
  • Install and configure Auditd with DISA-STIG recommended rules to diligently monitor changes to critical system files and configurations.
  • Deploy rkhunter or similar tools to detect rootkits and unauthorized software installations.
  • Disable direct root login over SSH, lock the root account, and restrict sudo access to only essential, authorized users to minimize the attack surface.
  • Review and harden PAM configurations, paying close attention to /etc/pam.d/sshd for any unauthorized modifications or inclusions of unknown modules.
  • Implement robust logging and centralized log management to quickly identify anomalies, even if local logs are tampered with.

Indicators of Compromise (IoCs)

Based on information disclosed, the following indicators were identified:

Type Indicator Description
File Name pam_linux.so Malicious PAM shared object injected into the authentication stack
File Name tn.sh Script executed via pam_exec during SSH authentication attempts
Directory /tmp/ Location where captured credential files are written with dynamic names
Network Port 1234 Remote port used by netcat (nc) to exfiltrate stolen credential data
PAM Config Path /etc/pam.d/sshd SSH PAM configuration file modified to load the malicious module
PAM Module pam_exec.so Legitimate PAM module abused to execute the malicious script silently

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Skoda Online Shop Security Incident Exposes Customer Data

Next Post

New Modular RAT Steals Credentials and Captures Screenshots

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us