A previously undisclosed Linux backdoor named PamDOORa has surfaced on the Rehub Russian cybercrime forum, where it is being marketed for $1,600 by a threat actor using the handle "darkworm." Cybersecurity researchers have analyzed the malware and revealed its capabilities as a post-exploitation tool targeting Linux systems.
The backdoor functions as a Pluggable Authentication Module (PAM)-based toolkit, a critical component of Linux authentication systems. PAM modules handle authentication tasks across Linux distributions, making them an attractive target for attackers seeking persistent access. By compromising these modules, PamDOORa can intercept and manipulate the authentication process on affected systems.
PamDOORa's primary mechanism involves establishing persistent SSH access through a combination of a magic password and specific TCP port configuration. This dual-factor approach allows attackers to maintain backdoor access even after initial compromise, bypassing normal authentication controls. The malware is specifically designed as a post-exploitation toolkit, meaning it is deployed after an attacker has already gained initial access to a target system.
The availability of PamDOORa on cybercrime forums represents a concerning development for organizations relying on Linux infrastructure. SSH access is fundamental to Linux server management, and compromising the authentication layer provides attackers with a powerful persistence mechanism that can be difficult to detect. The relatively low price point of $1,600 makes this capability accessible to a broader range of threat actors.
Organizations should immediately audit their PAM configurations for unauthorized modifications and implement file integrity monitoring on authentication modules. Security teams should review SSH access logs for anomalous authentication patterns and consider implementing multi-factor authentication for all SSH access. Regular verification of PAM module integrity and monitoring for unexpected changes to authentication libraries can help detect this type of backdoor before it is exploited.
Source: https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html