Cybersecurity researchers have discovered a new Linux backdoor called Plague that has stayed hidden for over a year. This malware works as a malicious PAM (Pluggable Authentication Module), letting attackers quietly bypass normal login procedures and keep persistent SSH access to affected systems.
PAM modules are pieces of software that handle user authentication on Linux and UNIX systems. Since these modules run with high privileges, a compromised PAM can give attackers the power to steal credentials, skip authentication checks, and stay under the radar of most security tools.
Nextron Systems found several versions of Plague uploaded to VirusTotal starting in late July 2024, none of which were detected by antivirus programs. The variety of samples suggests the malware is actively being developed by unknown hackers.
Plague has some clever tricks to avoid being caught: it uses hardcoded credentials for secret access, includes protections against debugging and reverse engineering, and hides its activity by clearing SSH-related environment variables like SSH_CONNECTION and SSH_CLIENT. It also stops commands from being saved in shell history by redirecting the history file to /dev/null.
According to Nextron researcher Pierre-Henri Pezier, “Plague digs deep into the authentication system and even survives system updates. Its combination of stealth features and environment tampering makes it really tough to detect with usual security tools.”
