[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgghoeCiGFhuB8N6NsWVTCRxuAdI5Vo1t1TkzIYim20g":3},{"article":4,"iocs":40},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"267e827a-75f3-47d7-8061-99eb1b0aae91","New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials","new-linux-pamdoora-backdoor-uses-pam-modules-to-steal-ssh-credentials-aa100f","Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called \"darkworm.\" The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination.","Cybersecurity researchers have disclosed PamDOORa, a new Linux backdoor being sold on the Rehub Russian cybercrime forum for $1,600 by threat actor 'darkworm.' The PAM-based post-exploitation toolkit enables persistent SSH access via magic password and TCP port combination, while harvesting credentials from legitimate users and tampering with authentication logs to avoid detection. Although no real-world attacks have been confirmed, the malware represents an evolution in operator-grade PAM backdoor tooling compared to earlier proof-of-concept variants.","PamDOORa Linux backdoor discovered on Russian forum, uses PAM modules for SSH credential theft and persistence.","New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Ravie LakshmananMay 08, 2026Malware \u002F Threat Intelligence Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called \"darkworm.\" The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system. \"The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH,\" Flare.io researcher Assaf Morag said in a technical report. \"Allegedly this would remain persistent on Linux systems (x86_64).\" PamDOORa is the second Linux backdoor after Plague to be discovered targeting the PAM stack over the past year. PAM is a security framework in Unix\u002FLinux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications. Because PAM modules typically run with root privileges, a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access. \"Despite its strengths, the Pluggable Authentication Module's (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext,\" Group-IB noted in September 2024. \"The pam_exec module, which allows the execution of external commands, can be exploited by attackers to gain unauthorized access or establish persistent control by injecting malicious scripts into PAM configuration files.\" The Singaporean security vendor also detailed how it's possible to manipulate PAM configuration for SSH authentication to execute a script via pam_exec, effectively allowing a bad actor to obtain a privileged shell on a host and facilitate stealthy persistence. The latest findings from Flare.io show that PamDOORa, besides enabling credential theft, incorporates anti-forensic capabilities to methodically tamper with authentication logs to erase traces of malicious activity. Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely to involve the adversary first obtaining root access to the host through some other means and deploying the PamDOORa PAM module to capture credentials and establish persistent access over SSH. Morag told The Hacker News that PamDOORa was compared with several similar PAM-based backdoors, including Plague. Although they share a similar approach of altering the PAM behavior to enable credential capture, the \"small differences in the design\" indicate that the backdoor does not overlap with any of them. \"But without comparing the two binaries, we cannot completely rule out,\" Morag added. After an initial asking price of $1,600 on March 17, 2026, the \"darkworm\" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale. \"PamDOORa represents an evolution over existing open-source PAM backdoors,\" Morag explained. \"While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Authentication, Backdoor, Credential Theft, cybersecurity, linux, Malware, Threat Intelligence ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fnew-linux-pamdoora-backdoor-uses-pam.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEixNgyNI9ObZi3Il87CVXhEWyWgcK-O1IKhQKRs7NPrNVqTMBZRw7AZpmbk5RdsPxNPmO9IyXaq6QzYBN691HBgfE8HpwnyJuE4-vaCAwHPpb6UfeSRcrMI-GRjcX53cELs31s7ps6YkGx5bAAB67w4m9GQ7ZVWjSdnaPOFczjHlsS3967ZvBh-4ZvTBWEJ\u002Fs1600\u002Flinux-pam.jpg","2026-05-08T08:41:00+00:00","2026-05-08T12:00:24.912948+00:00",9,[18,21,24,27],{"name":19,"type":20},"darkworm","threat_actor",{"name":22,"type":23},"PAM (Pluggable Authentication Module)","technology",{"name":25,"type":26},"Flare.io","vendor",{"name":28,"type":26},"Group-IB","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":29,"icon":31,"name":32,"slug":33},null,"Malware","malware",[35],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[41,44],{"type":33,"value":42,"context":43},"PamDOORa","PAM-based Linux backdoor for post-exploitation, credential theft, and persistent SSH access",{"type":33,"value":45,"context":46},"Plague","Earlier PAM-based Linux backdoor discovered in past year; similar approach to PamDOORa"]