Cybersecurity researchers disclosed a new Linux backdoor called PamDOORa that is being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor using the name darkworm. The malware is built as a Pluggable Authentication Module, or PAM, implant that can provide persistent SSH access with a magic password and port combination and can harvest credentials from legitimate users.
KEY FACTS
- Price The asking price was listed at $1,600 on March 17, 2026, then cut to $900 by April 9.
- Access method The backdoor is designed to work with OpenSSH through PAM authentication.
- Capabilities It can capture credentials and tamper with authentication logs.
- Target The disclosure says it is aimed at Linux x86_64 systems.
A technical analysis by Flare.io said PamDOORa is the second Linux backdoor found to target the PAM stack, following Plague. PAM is a modular authentication framework used on Unix and Linux systems, and malicious changes to it can affect how users log in.
The report said PAM modules often run with root privileges, which can make a compromised module especially dangerous. It also noted that PAM does not store passwords but transmits values in plaintext, which can increase the risk of credential theft if a module is altered.
Flare.io said the malware includes anti-forensic features that can tamper with authentication logs to erase traces of activity. The disclosure added that infections would likely require an attacker to already have root access, after which the PAM module could be deployed to capture credentials and keep SSH access open.
Morag said the tool goes beyond simple proof-of-concept code because it combines PAM hooks, credential capture, log tampering, anti-debugging, network-aware triggers and a builder pipeline into a more complete implant. There is no evidence in the report that PamDOORa has been used in real-world attacks.
WHY IT MATTERS
PAM-based backdoors can be difficult to spot because they sit inside a core authentication path and may give attackers persistent access once deployed. The findings also underline how root-level compromise can let intruders turn trusted login components into tools for credential theft and stealth.