A highly-persistent Linux backdoor, dubbed “Plague,” has been evading detection by antivirus vendors for months. Researchers at German infosec company Nextron Threat discovered the malware, which creates a malicious PAM (Pluggable Authentication Module) allowing attackers to bypass system authentication and gain persistent SSH access.
The Plague malware integrates deeply into the authentication stack, survives system updates, and leaves minimal forensic traces. It uses layered obfuscation and environment tampering to make detection difficult using traditional tools. Antivirus vendors have now recognized the PAM vulnerability, with over 30 engines identifying it as malware.
The malware sanitizes the runtime environment to eliminate evidence of an SSH session, making it challenging to detect. Nextron Threat warns that the Plague backdoor is a sophisticated threat to Linux infrastructure, exploiting core authentication mechanisms for stealth and persistence. Researchers have found no public reports of the malware being detected in the wild, but its use of advanced obfuscation, static credentials, and environment tampering makes detection difficult.
Nextron offers advice to admins: if they suspect something suspicious, manually check PAM files are legitimate. The company has updated its THOR Lite software to spot potential Plague instances.
Source: https://www.theregister.com/2025/08/05/plague_linux_backdoor