New 'PamDOORa' Linux Backdoor Offers Persistent SSH Access and Credential Theft
A new, sophisticated Linux backdoor called PamDOORa is being sold on underground forums, offering attackers persistent SSH access and credential harvesting capabilities by exploiting the Pluggable Authentication Module (PAM) framework.

A new Linux-focused backdoor dubbed "PamDOORa" has surfaced on the Rehub cybercrime forum, where it is being marketed as a sophisticated post-exploitation tool. The malware is designed to manipulate the Pluggable Authentication Module (PAM) framework on x86_64 Linux systems to facilitate persistent, unauthorized SSH access The Hacker News.
The backdoor functions by hooking into the PAM stack, which is a critical security framework used by Linux systems to manage authentication. By deploying as a malicious PAM module, PamDOORa operates with root privileges, allowing it to intercept and harvest plaintext credentials from any user authenticating through the compromised system The Hacker News. Beyond credential theft, the tool provides a "magic password" and specific TCP port combination that grants attackers persistent, unauthorized entry via OpenSSH The Hacker News.
According to researchers at Flare.io, PamDOORa distinguishes itself from earlier, simpler PAM-based backdoors like "Plague" through its advanced feature set. The implant includes anti-forensic capabilities that allow it to methodically tamper with authentication logs, effectively erasing traces of malicious activity to evade detection The Hacker News. Furthermore, the tool features anti-debugging mechanisms and a network-aware trigger system, moving it beyond basic proof-of-concept scripts into the realm of operator-grade malware The Hacker News.
While there is currently no evidence of PamDOORa being deployed in real-world attacks, its presence on the dark web suggests an intent to weaponize it. Security analysts note that the infection chain likely requires an attacker to first gain root-level access to a target host through a separate vulnerability before deploying the PamDOORa module to establish long-term persistence The Hacker News.
The threat actor behind the tool, known as "darkworm," initially listed the backdoor for $1,600 on March 17, 2026. By April 9, the price had been slashed to $900, a move experts suggest may indicate a lack of buyer interest or a desire to quickly offload the malicious software The Hacker News.
The emergence of PamDOORa highlights the inherent risks associated with the modular nature of the PAM framework. Because PAM modules run with high privileges and handle sensitive authentication data, they remain a high-value target for threat actors looking to establish stealthy, persistent control over Linux infrastructure The Hacker News. As these tools become more sophisticated, organizations are reminded of the importance of monitoring PAM configuration files and auditing authentication logs for unauthorized modifications.