In late July 2025, threat hunters uncovered a stealthy Linux backdoor dubbed Plague, implemented as a malicious PAM (Pluggable Authentication Module). The implant enables silent bypass of authentication, persistent SSH access, and leaves minimal forensic traces, making it extremely difficult to detect.
Plague has been in circulation since at least mid-2024, with multiple compiled variants found in the wild-none flagged by antivirus engines to date. It embeds deeply into the authentication stack, survives system updates, and actively sanitizes SSH session evidence by unsetting environment variables and disabling shell history logging.
Technically, Plague employs layered string obfuscation using XOR, KSA/PRGA-like routines, and a DRBG-based third layer. These obfuscation mechanisms evolve across versions, requiring advanced emulation-based tools to extract meaningful indicators. The malware also performs antidebugging checks to evade sandbox analysis.
Key samples masquerade as libselinux.so.8 and are linked to toolchains from Debian and Ubuntu distributions. Hardcoded static passwords (e.g., Mvi4Odm6tld7, IpV57KNK32Ih, changeme) enable covert access. Attribution remains unclear, though early sample names and a movie quote reference suggest deeper intent and operational maturity.
Plague underscores the need for proactive detection strategies using behavioral analytics and YARA-based hunting, especially for threats targeting core system components in Linux environments.
Contact us: Finstein Cyber — Cybersecurity & VAPT Services
Source : https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
#LinuxSecurity #CyberThreats #BackdoorDetection #PAMExploit #PlagueMalware #CyberSecurityAlert #AdvancedPersistentThreats #SSHBackdoor #MalwareAnalysis #ThreatHunting #ObfuscatedMalware #YARAHunting #CyberForensics #APT #LinuxBackdoor #SystemSecurity #BehavioralAnalytics #InfoSec #CyberAwareness #SecurityResearch #CyberDefense
