New PamDOORa Linux backdoor targets SSH credentials through PAM

xA new Linux backdoor called PamDOORa is drawing attention because it targets the Pluggable Authentication Module, or PAM, which sits at the center of authentication on many Linux systems. The backdoor is designed to help attackers keep SSH access to a compromised server while stealing credentials from legitimate users who log in.

Researchers say PamDOORa is not an initial access tool. An attacker would already need root access before deploying it. Once installed, the malware can place itself inside the authentication flow, where it can capture passwords, hide attacker logins, and preserve access through OpenSSH.

The tool was advertised on the Rehub Russian-speaking cybercrime forum by a threat actor using the name “darkworm.” It was initially listed for $1,600 before the price reportedly dropped to $900, suggesting the seller may have wanted a faster sale or struggled to find buyers.

Why PamDOORa is dangerous

PAM is a sensitive part of Linux because it helps services such as SSH, sudo, login, and other applications verify users. That makes it a useful target for attackers who want access that blends into normal system behavior.

Instead of running as a typical visible process, PamDOORa works by abusing the authentication layer itself. This makes the threat harder to spot with tools that mainly watch user-space processes or standard application activity.

The backdoor can allow SSH access through a specific TCP port and a secret “magic password.” At the same time, it can collect credentials from real users as they authenticate through the compromised machine.

At a glance

Category	Details
Malware name	PamDOORa
Target	Linux systems using PAM and OpenSSH
Main goal	Persistent SSH access and credential theft
Required access	Root access before deployment
Reported seller	A Rehub forum user using the alias “darkworm”
Reported price	$1,600, later reduced to $900
Key risk	Attackers can steal SSH credentials and erase traces of their access

How the attack works

PamDOORa appears to work as a post-exploitation implant. After gaining root access through another method, the attacker deploys the tool and modifies the PAM authentication stack.

The implant reportedly produces a file called pam_linux.so instead of replacing the standard pam_unix.so module. This matters because loading an extra module can look less destructive than overwriting a core system file, while still giving the attacker control over authentication behavior.

The backdoor can then watch SSH authentication events. When a normal user logs in, the malware can capture the submitted credentials inside the PAM stack before higher-level logging tools see anything useful.

Credential theft happens inside the trusted login flow

This is what makes PamDOORa especially risky for system administrators and incident response teams. A responder who logs in to investigate a compromised server could hand over credentials to the attacker without realizing it.

Captured credentials are reportedly encrypted with XOR using a runtime-generated key and written to the /tmp directory with dynamic filenames and timestamps. XOR does not provide strong protection, but it can help the attacker avoid simple text-based scanning.

The tool also uses network-aware triggers. Instead of accepting only a hidden password from any connection, PamDOORa can inspect socket information and apply conditions based on the connection, which makes the backdoor more controlled and harder to trigger accidentally.

Anti-forensics make investigations harder

PamDOORa also includes anti-forensic behavior. Researchers found that it can manipulate authentication records such as lastlog, btmp, utmp, and wtmp to remove signs of attacker access.

That can distort the timeline of a breach. Security teams may see failed logins or incomplete records while missing the successful attacker session that mattered most.

This type of log tampering also means defenders should not rely only on local authentication logs after a suspected compromise. They should compare data from endpoint tools, network logs, SIEM telemetry, cloud audit logs, and other independent sources.

What administrators should check

• Review unexpected changes in /etc/pam.d/sshd and shared PAM files such as common-auth.
• Look for unfamiliar pam_*.so modules, especially files with names that resemble legitimate PAM modules.
• Investigate suspicious activity in /tmp, /var/tmp, and other writable directories.
• Check whether sshd has spawned unusual child processes or scripts during login events.
• Compare lastlog, btmp, utmp, and wtmp with external logging sources.
• Rotate passwords and revoke SSH keys if a server shows signs of root compromise.
• Disable direct root SSH login where possible.
• Limit sudo access to users who need it.
• Use key-based SSH authentication and reduce password-based logins.
• Use SELinux, AppArmor, Auditd, and file integrity monitoring on critical servers.

Why this matters for Linux security

PamDOORa shows why attackers keep targeting authentication infrastructure. Once they compromise that layer, they can gain persistence, steal credentials, and undermine incident response at the same time.

The threat also highlights the risk of treating Linux servers as clean after only removing visible malware. If PAM has been modified, every credential used on that server may need to be considered exposed.

For defenders, the response should go beyond deleting a suspicious file. Teams should rebuild trust in the host, rotate credentials, verify PAM configurations, review privileged access, and confirm that logging sources outside the affected server still show a complete picture.

Summary

• PamDOORa is a Linux PAM-based backdoor designed for post-exploitation access.
• It targets SSH authentication and can steal credentials from legitimate users.
• The backdoor reportedly uses a magic password and TCP port combination for attacker access.
• It can manipulate authentication logs to hide attacker activity.
• Security teams should treat affected systems as fully compromised and rotate credentials after containment.

FAQ