Meta News

PamDOORa Linux Backdoor Discovers PAM Modules to Steal SSH Credentials

Summary: Researchers revealed PamDOORa, a new Linux backdoor based on PAM, sold in a Russian forum, designed to gain persistent SSH access and steal credentials from legitimate users.

Discovering “PAMDOORA,” a New Linux Backdoor that Abuses the PAM System to Conceal Itself

Cybersecurity researchers discovered a new Linux malware called “PAMDOORA,” an advanced backdoor that uses the PAM (Pluggable Authentication Modules) system to maintain persistence and hide malicious activity within compromised servers.

The malware was recently identified during forensic investigations on attacked Linux systems and is notable for its ability to integrate directly into the operating system's authentication process.

What is PAM and Why is This Attack Dangerous

PAM is a core Linux component used to manage user authentication, SSH access, permissions, and credential validation.

By compromising PAM modules, attackers can:

  • Steal credentials.
  • Maintain persistent access.
  • Hide malicious sessions.
  • Evade security tools.
  • Create secret system access.

According to researchers, PAMDOORA modifies components related to authentication to intercept credentials and allow hidden remote access to malicious operators.

How PAMDOORA Works

The malware installs malicious libraries within paths used by PAM and manipulates the normal authentication flow.

Observed capabilities include:

  • Hidden backdoor using special passwords.
  • Stealing SSH credentials.
  • Persistence across reboots.
  • Hiding processes and activity.
  • Remote communication with a command and control (C2) infrastructure.

Researchers indicated that the malware was specifically designed for Linux servers, especially those exposed to the internet.

Main Targets

PAMDOORA appears aimed at compromising:

  • Linux enterprise servers.
  • Cloud infrastructure.
  • Publicly exposed SSH servers.
  • Hosting systems.
  • Critical production equipment.

Experts warn that environments with weak SSH configurations or reused credentials have a higher risk of initial compromise.

Signs of Compromise

Administrators should review:

  • Unexpected changes in PAM files.
  • Suspicious libraries in /lib, /usr/lib, or PAM modules.
  • Anomalous SSH accesses.
  • Unknown users.
  • Hidden processes or strange outgoing connections.
  • Modified files in /etc/pam.d/.

They also recommend validating integrity using tools such as:

  • rpm -V
  • debsums
  • AIDE
  • auditd
Security Recommendations

To reduce risks, specialists recommend:

  • Implementing multi-factor authentication (MFA).
  • Restricting SSH access using whitelists.
  • Disabling remote root login.
  • Monitoring PAM modules regularly.
  • Using EDR tools compatible with Linux.
  • Keeping systems updated.

The discovery of PAMDOORA demonstrates how attackers continue to develop increasingly stealthy Linux malware focused on advanced persistence in critical infrastructures.

Original source: The Hacker News.

Key facts

  • PamDOORa is a Linux backdoor based on PAM.
  • The backdoor is designed to steal credentials and ensure persistent SSH access.
  • The exploit leverages PAM modules, which run with root privileges.
  • PamDOORa is the second backdoor to target the PAM stack after Plague.

Why it matters

This finding underscores the inherent risks of operating system modularity. Attackers can exploit legitimate functionalities, such as PAM module management, to establish persistent points of access. Organizations must review and strengthen the security of their PAM configurations to prevent credential theft.

X profile@thehackersnewshttps://twitter.com/thehackersnews
Embedded content for: PamDOORa Linux Backdoor Discovers PAM Modules to Steal SSH Credentials
Tags:
Linux backdoor PAM ciberseguridad SSH

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: PamDOORa, Rehub, darkworm

Source: https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html

Published on