PamDOORa: Linux Backdoor Exploits PAM Framework for SSH Credential Theft

A threat actor known as 'darkworm' is advertising a new Linux backdoor on the Rehub Russian cybercrime forum that weaponizes Pluggable Authentication Module (PAM) infrastructure to harvest SSH credentials and establish persistent access. Named PamDOORa, the malware represents the second known Linux backdoor explicitly targeting the PAM authentication stack after Plague, marking an escalation in post-exploitation tooling for compromised Linux systems.

According to Flare.io researcher Assaf Morag, PamDOORa functions as a PAM-based post-exploitation toolkit designed for x86_64 Linux systems. The backdoor enables authentication through a magic password and specific TCP port combination while simultaneously capturing credentials from all legitimate users authenticating through the compromised system. Initially priced at $1,600 on March 17, 2026, darkworm reduced the price to $900 by April 9—a 44% discount suggesting either limited buyer interest or urgency to monetize the tool.

PAM Framework Exploitation Mechanics

PAM serves as a critical security framework in Unix/Linux operating systems, allowing administrators to integrate multiple authentication mechanisms without rewriting applications. The modularity that makes PAM powerful also creates attack surface. PAM modules execute with root privileges, meaning a compromised or malicious module introduces severe security risks including credential harvesting and unauthorized access.

Group-IB documented in September 2024 how the pam_exec module, which executes external commands, can be exploited by injecting malicious scripts into PAM configuration files. Attackers who gain initial root access can manipulate PAM configuration for SSH authentication to execute scripts via pam_exec, establishing privileged shells and stealthy persistence. PamDOORa operationalizes this attack vector into a commercial product with integrated anti-forensic capabilities.

Attack Chain Requirements

PamDOORa functions as a post-exploitation tool rather than an initial access vector. Threat actors must first obtain root access to the target host through separate means—privilege escalation exploits, compromised credentials, or supply chain attacks. Once root access is established, adversaries deploy the PamDOORa PAM module to capture credentials and maintain persistent SSH access.

The backdoor's design incorporates several technical features that distinguish it from proof-of-concept PAM backdoors available in public repositories. Beyond basic PAM hooks and credential capture, PamDOORa includes anti-debugging mechanisms, network-aware triggers, and a builder pipeline that places it closer to operator-grade tooling used by advanced threat actors.

Anti-Forensic Capabilities

PamDOORa incorporates methodical log tampering capabilities designed to erase traces of malicious activity from authentication logs. This anti-forensic functionality complicates incident response and forensic investigation by removing evidence of unauthorized access. The backdoor's ability to systematically manipulate logs while maintaining operational security represents a significant evolution in Linux malware sophistication.

Commercial Malware Market Indicators

The rapid price reduction from $1,600 to $900 within three weeks provides insight into underground malware market dynamics. The 44% discount indicates either limited demand for Linux-focused post-exploitation tools or the threat actor's need to accelerate monetization before detection signatures proliferate. As of May 2026, no evidence suggests PamDOORa has been deployed in real-world attacks, though the absence of public reporting doesn't confirm the malware remains unused.

The Rehub forum listing and darkworm's pricing strategy suggest this represents targeted marketing to financially-motivated cybercriminals or state-sponsored operators seeking Linux persistence mechanisms. The tool's sophisticated feature set and modular design indicate development by threat actors with operational experience rather than script-based experimentation.

Defensive Recommendations

Organizations operating Linux infrastructure should implement multiple defensive layers to detect and prevent PAM-based compromise. These measures address both the initial access requirements and the post-exploitation capabilities PamDOORa leverages.

• Monitor PAM configuration files (/etc/pam.d/) for unauthorized modifications using file integrity monitoring with alert escalation
• Audit PAM module installations and maintain cryptographic hashes of legitimate modules for comparison
• Implement centralized authentication logging with tamper-resistant log forwarding to detect log manipulation attempts
• Restrict root access through principle of least privilege and monitor privilege escalation events
• Review SSH authentication logs for anomalous patterns including unusual source IPs or authentication timing
• Deploy behavior-based detection for PAM module execution patterns that deviate from baseline activity
• Conduct regular security audits of PAM configuration including pam_exec module usage and external script execution

Strategic Implications

PamDOORa represents the commercialization of PAM exploitation techniques previously documented in research contexts and proof-of-concept code. The availability of operator-grade tooling targeting Linux authentication infrastructure lowers the technical barrier for post-exploitation persistence, expanding the threat landscape for organizations running Linux servers, containers, and cloud infrastructure.

Security teams should recognize that PAM-based backdoors exploit legitimate operating system functionality rather than software vulnerabilities, making traditional vulnerability management insufficient. Defensive strategies must focus on configuration integrity, behavioral monitoring, and detecting malicious use of legitimate authentication mechanisms. The appearance of commercial PAM backdoors indicates threat actors recognize the value of authentication-layer persistence and are investing in tools that exploit this attack surface.