New Linux backdoor Plague bypasses auth via malicious PAM module

Threat Score:
80
4 articles
100.0% similarity
13 hours ago

Activity Timeline

4 articles
Click to navigate
Aug 02
Aug 02
Aug 02
Aug 02
Oldest
Latest

Key Insights

1
The Plague backdoor, discovered by Nextron Systems, exploits Pluggable Authentication Modules (PAM) to bypass authentication and maintain persistent SSH access on Linux systems - 'allowing attackers to silently bypass system authentication' [1][2].
2
Despite multiple samples uploaded to VirusTotal since July 2024, none of the 66 antivirus engines tested have detected Plague as malicious, highlighting its sophisticated evasion techniques [2][4].
3
The earliest known sample of Plague dates back to July 2024, with recent submissions as late as March 2025, indicating ongoing development by its unknown operators [2][3].
4
Plague's stealth capabilities include erasing SSH session evidence and utilizing static credentials, allowing for covert access without leaving forensic traces [1][2].
5
Researchers noted that the malware uses anti-debugging and string obfuscation techniques to resist analysis, making it a significant security threat for organizations using Linux [1][3].
6
The presence of different compilation artifacts across various Linux distributions, such as Debian and Ubuntu, suggests a broad deployment of the Plague backdoor in diverse environments [2][4].

Threat Overview

Cybersecurity researchers have identified a new Linux backdoor named Plague that poses a serious security threat by allowing attackers to bypass authentication and maintain persistent SSH access on compromised systems. Discovered by Nextron Systems, the malware operates as a malicious Pluggable Authentication Module (PAM), which is a set of shared libraries used for managing user authentication in Linux environments. According to Nextron researcher Pierre-Henri Pezier, 'The implant enables attackers to silently bypass system authentication and gain persistent SSH access.' Despite multiple samples of Plague being uploaded to VirusTotal since July 2024, none of the 66 antivirus engines tested have flagged it as malicious, underscoring its sophisticated evasion capabilities.

The earliest known instance of Plague dates back to July 2024, with the latest variants submitted as recently as March 2025. This indicates that the attackers are actively developing and adapting the malware. The backdoor's stealth features include the ability to erase evidence of SSH sessions by unsetting environment variables and redirecting command history to /dev/null, thereby preventing any audit trails. The malware also employs anti-debugging and string obfuscation techniques to resist analysis, complicating detection efforts.

Technical analysis reveals that Plague exploits PAM's architecture, which allows it to integrate deeply into the authentication stack of Linux systems. This enables credential theft and the ability to bypass authentication checks entirely. Researchers have noted that the presence of multiple compilation artifacts across various Linux distributions, including Debian and Ubuntu, suggests that Plague targets a wide range of environments. 'The malware's design allows it to maintain covert access while avoiding detection by traditional security measures,' stated a Nextron researcher.

In response to the threat, the cybersecurity community is urging organizations to implement robust monitoring and detection measures for their Linux systems. Security teams are advised to audit PAM configurations and monitor for unauthorized changes. As the malware continues to evolve, it remains crucial for organizations to stay informed about emerging threats and to take proactive defensive measures. 'Organizations must prioritize security hygiene to mitigate risks associated with advanced malware like Plague,' said a security analyst. Official guidance on specific patches or mitigation steps has not yet been released, but continuous vigilance is recommended as Plague's presence in the wild raises serious concerns for system integrity and security.

Tactics, Techniques & Procedures (TTPs)

T1068
Exploitation of Elevation of Privilege - The Plague backdoor allows attackers to elevate privileges by manipulating PAM configurations [1][3].
T1071.001
Application Layer Protocol: Web Protocols - Plague uses SSH for command and control, enabling covert communications [2][4].
T1203
Exploitation for Client Execution - By installing as a PAM module, Plague exploits the authentication process to execute its payload [1][3].
T1136
Create Account - The malware may allow attackers to create unauthorized accounts to maintain access [2][4].
T1059.001
Command and Scripting Interpreter: PowerShell - Plague uses shell commands to manipulate environment variables and erase session logs [1][3].
T1583
Acquire Infrastructure - The ongoing development of Plague indicates that attackers are acquiring infrastructure for further exploitation [2][3].
T1528
Application Layer Protocol: SSH - The malware maintains persistent access through SSH, allowing attackers to execute commands remotely [1][2].

Timeline of Events

2024-07-29
First known samples of Plague uploaded to VirusTotal without detection by antivirus engines [1][2].
2024-08-02
Nextron Systems publicly announces discovery of Plague backdoor, detailing its functionalities and stealth capabilities [1][3].
2025-03
Latest samples of Plague submitted to VirusTotal, indicating continued development and adaptation by attackers [2][4].
2025-08-02
Ongoing analysis of the malware reveals its potential exploitation methods and the need for heightened security measures [1][4].

Source Citations

expert_quotes: {'Cybersecurity analyst': 'Article 2', 'Nextron Systems researcher': 'Article 1', 'Threat intelligence community': 'Article 4'}
primary_findings: {'Technical capabilities': 'Articles 1, 3', 'Plague backdoor discovery': 'Articles 1, 3', 'Detection evasion analysis': 'Articles 2, 4'}
technical_details: {'Attack methods': 'Articles 1, 2, 4', 'Exploitation techniques': 'Articles 3, 4'}
Powered by ThreatCluster AI
Generated 27 minutes ago
Fresh Analysis
AI analysis may contain inaccuracies

Related Articles

4 articles
1

New Linux backdoor Plague bypasses auth via malicious PAM module

Security Affairs 1 hour ago

A stealthy Linux backdoor named Plague, hidden as a malicious PAM module, allows attackers to bypass auth and maintain persistent SSH access. Nextron Systems researchers discovered a new stealthy Linux backdoor called Plague, hidden as a malicious PAM (Pluggable Authentication Module) module. It silently bypasses authentication and grants persistent SSH access. A Pluggable Authentication Module […]

Score
88
100.0% similarity
Read more
2

New ‘Plague’ PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft

The Hacker News 11 hours ago

Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbedPlaguethat has managed to evade detection for a year. "The implant is built as a maliciousPAM(Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Nextron Systems researcher Pierre-Henri Peziersaid. Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Lin

Score
73
100.0% similarity
Read more
3

New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access

GB Hackers 14 hours ago

New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access Security researchers have discovered a sophisticated Linux backdoor dubbed “Plague” that has remained undetected by all major antivirus engines despite multiple samples being uploaded to VirusTotal over the past year. The malicious software operates as a Pluggable Authentication Module (PAM), allowing attackers to silently bypass system authentication and maintain persistent SSH access to compromisedLinux systems.

Score
65
99.0% similarity
Read more
4

New Undectable Plague Malware Attacking Linux Servers to Gain Persistent SSH Access

Cybersecurity News 15 hours ago

A sophisticated Linux backdoor dubbed Plague has emerged as an unprecedented threat to enterprise security, evading detection across all major antivirus engines while establishing persistent SSH access through manipulation of core authentication mechanisms. Discovered by cybersecurity researchers at Nextron Systems, this malware represents a paradigm shift in Linux-targeted attacks, exploiting Pluggable Authentication Modules (PAM) to […]

Score
60
99.0% similarity
Read more