Plague PAM Backdoor Malware Targets Linux Systems with Undetectable SSH Persistence
August 6th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring a new Linux-focused malware strain, identified as “Plague.” This malware leverages a stealthy Pluggable Authentication module (PAM) backdoor to establish persistent SSH access and silently harvest credentials. The backdoor directly targets authentication mechanisms within Linux systems, modifying PAM components to bypass security controls and avoid detection. Plague’s modular design enables covert access to high-value Linux environments, including cloud-hosted assets and publicly exposed infrastructure, without leaving typical forensic traces. This campaign and its accompanying techniques mark a significant escalation in the abuse of authentication frameworks for persistent access.
Technical Details
Attack Type: Persistent Backdoor (Credential Theft & SSH Access).
Severity: Critical.
Technique: PAM Module Insertion, Anti-Forensic Obfuscation.
Malware Name: Plague.
Plague is designed for long-term stealth and persistence, embedding itself within Linux authentication workflows by modifying or replacing legitimate PAM modules. Once deployed, the malware intercepts login attempts to capture user credentials, which are exfiltrated to the attacker-controlled infrastructure.
To maintain uninterrupted SSH access, Plague installs a covert backdoor that allows privileged logins without appearing in standard authentication logs. The malware uses multiple layers of evasion, including anti-debugging routines, binary obfuscation, and forensic interference techniques. Notably, several samples have avoided detection by antivirus solutions for over a year, highlighting the sophistication of its anti-analysis capabilities.
Impact
Plague poses a critical threat to enterprise Linux environments. Key risks include:
Stealthy Persistence: Allows remote access via SSH without triggering standard authentication logs.
Credential Compromise: Silently captures usernames and passwords during login events.
Privilege Escalation & Lateral Movement: Facilitates complete system takeover in shared or high-privilege environments.
Defense Evasion: Bypasses antivirus and EDR detection via direct PAM integration and multi-layer obfuscation.
Reconnaissance & Exfiltration: Supports long-term credential harvesting and data theft, with emphasis on cloud and critical infrastructure targets.
Given its persistence, Plague can remain undetected for extended periods, significantly increasing incident response complexity and organizational risk.
Detection Method
Detecting Plague infections involves combining file integrity monitoring, behavioral analysis, and network telemetry. Recommended approaches include:
Baseline Comparison: Verify PAM module files and configurations against trusted baselines.
Hash Verification: Use cryptographic hashes to verify module integrity.
Authentication Anomalies: Identify and analyze SSH logins that bypass PAM logging or rely on static, backdoor credentials.
EDR Visibility: Employ EDR tools capable of detecting credential interception and unauthorized PAM hooks.
Binary Analysis: Flag PAM modules with unusual compile timestamps, obfuscated strings, or packed binaries
Outbound Communication: Monitor for suspicious network activity, particularly encrypted traffic to unrecognized external servers indicative of credential exfiltration.
Indicators of Compromise
Type | Indicator |
SHA256 Hash | 85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb |
SHA256 Hash | 7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e |
SHA256 Hash | 9445da674e59ef27624cd5c8ffa0bd6c837de0d90dd2857cf28b16a08fd7dba6 |
SHA256 Hash | 5e6041374f5b1e6c05393ea28468a91c41c38dc6b5a5230795a61c2b60ed14bc |
SHA256 Hash | 6d2d30d5295ad99018146c8e67ea12f4aaa2ca1a170ad287a579876bf03c2950 |
SHA256 Hash | e594bca43ade76bbaab2592e9eabeb8dca8a72ed27afd5e26d857659ec173261 |
SHA256 Hash | 14b0c90a2eff6b94b9c5160875fcf29aff15dcfdfd3402d953441d9b0dca8b39 |
Recommendations
Organizations should implement the following measures to detect, contain, and prevent Plague infections:
PAM Integrity Validation: Verify all PAM module files and configurations against established baselines.
Isolation and Triage: Immediately isolate affected systems for forensic analysis upon detection.
File Monitoring: Continuously monitor PAM files for unauthorized modifications or unexpected binaries.
Credential Hardening: Enforce multi-factor authentication (MFA) for all privileged and administrative accounts.
Behavioral Detection: Deploy EDR solutions that can inspect in-memory modules and identify credential interception techniques.
Access Control: Limit SSH access by using strict allow-lists, segmentation, and restricted user roles.
Lateral Movement Mitigation: Restrict user permissions and segregate high-privilege systems to minimize post-compromise movement.
Threat Intelligence Integration: Keep up to date on emerging IOCs and tradecraft related to PAM exploitation.
Conclusion
The “Plague” Pluggable Access Module (PAM) backdoor campaign demonstrates how threat actors are evolving their methods to target trust in core system components, highlighting the importance of adopting a zero-trust approach to authentication systems. By integrating itself within the PAM authentication framework, Plague bypasses conventional security layers, allowing for the long-term compromise of Linux environments with minimal forensic evidence. We urge organizations to enforce a zero-trust approach to authentication and system-level module integrity, especially in critical infrastructure environments. Continuous PAM integrity validation, behavioral detection, and strict access control policies are essential for identifying and preventing such threats from gaining footholds within enterprise networks.