Safety researchers have discovered an unusually developed Linux backdoor, also as a malicious plugable authentication module (PAM). The “plague” dubbed by the Nextron researchers, the stealth backdoor attackers do not pay any attention to the previous certification and continuously establish a safe shell (SSH) access.
Researchers said in a blog post, “The plague authentication is deeply integrated into the stack, the system avoids updates, and almost no forensic marks.” “Combined with layered obfuscation and environmental tampering, it makes exceptionally difficult to detect using traditional devices.”
The Pam, offering itself as reliable certification structure of Linux, allows the transplant attackers to secretly access. Researchers said that active since July 29, 2024, it has developed with new variants, which has recently appeared as March 2025.
The payloads seen by the Nextron bore compilation mark for Debian, Ubuntu and other distributors suggest extensive targeting in the Linux atmosphere.
Integrated in certification stack
The architecture of the plague allows it to integrate deeply into the authentication stack of the system, which operates through a gentle -looking shared library file (libselinus.so.8), while kidnapping Pam tasks “Pam_Sm_Authenticate (),” very mechanisms that contain user credentials on the login. Is.
The injection makes the plagin part of the login process, the attackers provide a hidden back door through a hardcode password without user authentication, researcher coupleBecause it is working at the certification level, there is no separate malware loader or firmness mechanism. The backdor is triggered at any time when the palm stack is invited, such as through the SSH or SUDO.
The design of the abducted legitimate system behavior also makes the plague resistant to upgrade and is difficult to detect with traditional safety devices, including antivirus engines.
Researchers said, “Although many variants of this backdoor have been updated to the wirestotle in the last one year, not a single antivirus engine seems malicious to them.” “For our knowledge, there are no public reports or detection rules available for this threat, suggesting that it has quietly detected in many environment.”
According to the screenshot shared in the blog, dozens of variants uploaded on Virustotal in the last one year, detected 0/66.
From objects to audit theft
The stealth collection of the plague begins on time. Initial versions used simple Xor-based string encoding, but later variants deployed multi-layer encryption, including custom KSA/PRGA routine and DRBG-based phase, which to obferture decipped payloads and strings.
Using advanced cryptographic routine, including algorithms such as the major schedueling algorithm (KSA), pseudo-yielding generation algorithm (PRGA), and deterministic random bit generation (DRBG), guarantees both a level of security to develop both a level of security, including algorithms, a static signature scanning and sandbox-sandbox-sandbox-sandbox-sandbox-sandbox-sandbox routine.
Despite its prolonged runtime, the credit of plague is unknown. However, the authors of the malware left some clues after the de-objuration routine. A sample called “Hijac” referred to the film “Hackers” in a message printed after “Palm-Protenticate”. “Uh. Mr. the plague, sir? I think we have a hacker,” Sandesh said.
Nextron advises to adopt behavior, memory-based and palm-centered forensic strategies. Additionally, security teams are advised to actively audit the PAM configuration, monitor the newly dropped .SO files in/Lib/Security/, and track environmental tampering or suspected cleaning behavior.
