A previously unknown Linux backdoor called Plague has been discovered by cybersecurity researchers, evading detection for over a year. The implant is built as a malicious PAM (Pluggable Authentication Module), allowing attackers to bypass system authentication and gain persistent SSH access.
The Pluggable Authentication Module is a suite of shared libraries used to manage user authentication on Linux and UNIX-based systems. A rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools.
Researchers found multiple Plague artifacts uploaded to VirusTotal since July 2024, but none were detected as malicious by antimalware engines. The presence of these samples indicates active development of the malware by unknown threat actors.
Plague features several stealthy techniques, including static credentials, anti-debugging and string obfuscation, and environment variable manipulation. These features make it difficult to detect using traditional tools. The backdoor integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces, making it exceptionally hard to detect.
Source: https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html