New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Researchers uncovered PamDOORa, a new Linux backdoor selling for $1,600 on the Rehub Russian cybercrime forum under the handle "darkworm." The malware operates as a Pluggable Authentication Module (PAM) post-exploitation toolkit, allowing attackers to establish persistent SSH access through a magic password and custom TCP port combination.

PAM modules integrate directly into Linux authentication systems, giving PamDOORa deep kernel-level access. This architectural advantage lets the backdoor intercept SSH credentials before they reach standard logging mechanisms, making detection difficult for defenders relying on conventional authentication audits.

The toolkit targets organizations running vulnerable Linux infrastructure. Once deployed during the post-exploitation phase, PamDOORa enables attackers to maintain long-term access even after patching initial vulnerabilities. The magic password feature lets threat actors authenticate using a preset credential that bypasses normal SSH authentication checks. The custom TCP port component adds another obfuscation layer, routing malicious traffic through non-standard channels that standard network monitoring may overlook.

Organizations using Linux servers face elevated risk, particularly those in cloud environments or managing distributed infrastructure where SSH access controls are critical. The $1,600 price point suggests darkworm is marketing to mid-tier threat actors and criminal syndicates rather than state-sponsored groups, broadening the potential attack surface across smaller targets.

Defenders should implement PAM integrity monitoring, deploy host-based intrusion detection systems tuned for authentication anomalies, and conduct regular SSH access audits. Organizations should also enforce SSH key-based authentication over password methods and maintain strict controls over PAM module loading and modifications.

THE BOTTOM LINE: PamDOORa's deep integration into Linux authentication systems creates a persistent backdoor that circumvents traditional security monitoring, making rapid detection and removal difficult for defenders.