[German]Security researchers from Nextron Research have identified a previously undocumented PAM-based backdoor while searching for unknown threats with YARA rules. This backdoor, dubbed Plague by the security researchers, can be persistently installed on Linux systems by attackers and grants persistent SSH access without being detected by security systems.
Advertising
Over the weekend, I came across the following tweet on the topic documented by Nextron Research in the blog post Plague: A Newly Discovered PAM-Based Backdoor for Linux on August 1, 2025.
The discoverers write that they came across the previously undocumented PAM-based backdoor while searching for unknown threats with YARA rules.
The abbreviation PAM stands for Pluggable Authentication Module, a programming interface (API) that enables programs to authenticate users via configurable modules. PAM is now available on AIX, HP-UX, Solaris, Linux, FreeBSD, NetBSD, macOS and DragonFly BSD.
The backdoor, called Plague by its discoverers, comes in the form of a malicious PAM (Pluggable Authentication Module) and allows attackers to bypass system authentication undetected and gain permanent SSH access. The backdoor
- disguises itself as common system libraries
- is not detected as malicious by any antivirus program on VirusTotal
- has been compiled into multiple variants over time
- uses obfuscation techniques (XOR, KSA/PRGA, DRBG), anti-debug methods and session hiding approaches
- leaves no logs, and survives system updates
- uses a custom decryption tool created with Unicorn + IDA
According to the discoverers, to their knowledge, there are no public reports or detection reports on this PAM backdoor to date. The presence of multiple samples compiled over a long period of one year and in different environments shows active development and customization by the unknown cyber groups.
Advertising
Plague integrates deeply into the authentication stack, survives system updates and leaves almost no forensic traces. In combination with multi-layered obfuscation and manipulation of the environment, this backdoor is therefore extremely difficult to detect with conventional tools.
According to the developers, this case underscores the importance of proactive detection through YARA-based search and behavioral analysis – especially for implants that operate undetected in the core of Linux systems. The discoverers' blog post contains a detailed analysis of the backdoor and the techniques used.
Advertising
