PamDOORa: New Linux Backdoor Sells for $900 on Russian Forum, Harvests SSH Credentials via PAM

A threat actor calling themselves "darkworm" has listed a commercial Linux post-exploitation backdoor named PamDOORa for sale on Rehub, a Russian-language cybercrime forum, initially priced at $1,600 and subsequently discounted to $900. The tool works by injecting a malicious module into PAM (Pluggable Authentication Modules — the Linux framework that handles login and authentication for SSH and other services), allowing attackers with root access to maintain persistent entry through a "magic password" that bypasses normal credentials for any account, harvest plaintext passwords from every legitimate user who logs in, and erase evidence of their access from authentication logs. The discovery and analysis were conducted by Assaf Morag of Flare.io, with additional technical context published by The Hacker News.

PAM Backdoors: Technical Details

To understand why PamDOORa is dangerous, it helps to understand what PAM (Pluggable Authentication Modules) is. PAM is a component built into virtually every Linux distribution that handles authentication decisions for system services — including SSH (Secure Shell, the encrypted protocol administrators use to log into servers remotely). When a user attempts to log in via SSH, the SSH server passes the credentials to PAM, which checks them against the system's authentication stack (a configurable sequence of modules that can include password checks, multi-factor authentication, LDAP lookups, and more). The authentication decision comes back from PAM and SSH acts on it.

PamDOORa exploits this by inserting a malicious shared library (a .so file — the Linux equivalent of a Windows DLL) into PAM's module directory. This malicious module hooks the core PAM function pam_sm_authenticate() — the function that makes the pass/fail decision on every login attempt.

Once the hook is in place, PamDOORa operates through three mechanisms:

1. Magic password bypass. The backdoor contains a hardcoded secret password. When an attacker supplies this magic password via SSH along with a specific TCP port combination, pam_sm_authenticate() returns PAM_SUCCESS unconditionally — granting login as any user, including root, regardless of whether the real account password matches. The TCP port condition limits exposure to attackers who know both components, making the backdoor harder to stumble upon accidentally or detect through broad port scanning.

2. Credential interception. PAM does not store passwords; it processes them in plaintext within the execution context of each authentication attempt. PamDOORa intercepts the plaintext credential as it passes through pam_sm_authenticate() and forwards it to the attacker — effectively installing a live keylogger at the authentication layer of the operating system itself. Every legitimate user who logs into a server running PamDOORa via SSH provides their password directly to the attacker.

3. Authentication log tampering. Linux systems record SSH login events to /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS/Fedora). PamDOORa actively tampers with these log files to erase evidence of malicious logins — making forensic investigation significantly harder because the standard audit trail for access events is corrupted.

PamDOORa also includes anti-debugging protections designed to resist dynamic analysis in sandboxed environments and a builder pipeline (a configuration system for generating custom-built variants) that distinguishes it from the simpler open-source PAM backdoor proof-of-concepts that have circulated in the security research community for years. These features together indicate a commercially oriented tool designed for operational reliability rather than just technical demonstration.

MITRE ATT&CK categorizes this technique as T1556.003 (Modify Authentication Process: Pluggable Authentication Modules — a technique in which adversaries modify the PAM configuration or replace PAM modules to capture credentials or bypass authentication controls).

Exploitation Status and Threat Landscape

As of May 8, 2026, no confirmed real-world attacks using PamDOORa specifically have been documented in public reporting. The tool was first listed on Rehub on March 17, 2026, giving it approximately seven weeks of availability on the criminal marketplace before public disclosure. The price reduction from $1,600 to $900 by April 9 may reflect competitive pricing pressure from other tools or an effort to broaden the buyer base.

The Rehub forum is a Russian-language cybercrime marketplace that has hosted commodity malware-as-a-service offerings including information stealers, ransomware builders, and remote access tools. The commercialization of PAM backdoors represents a maturation of the Linux post-exploitation market — capability that previously required custom development is now available as a packaged product for operators with limited technical depth.

PamDOORa is a post-exploitation tool, meaning it requires the attacker to already have root access to a target system before installation. This makes it a persistence and lateral movement tool rather than an initial access exploit. Typical attack chains would involve using a known vulnerability (such as an unpatched kernel LPE or a web application exploit that yields root) to gain initial access, then deploying PamDOORa to establish durable persistence that survives detection and response efforts, because defenders checking running processes and network connections may miss a backdoor embedded at the authentication layer.

Who Is Affected

Any Linux server running SSH with password-based authentication is within the threat model for PamDOORa. This includes:

• Cloud VMs (AWS EC2, Google Compute Engine, Azure VMs) configured for password-based SSH
• On-premises Linux servers in data centers
• Development and build servers — historically common targets for credential harvesting because they hold source code access tokens, cloud credentials, and package signing keys
• IoT and embedded systems running Linux with SSH exposed

The attack surface is particularly relevant for organizations that have not enforced SSH key-only authentication, have not implemented MFA for server access, or rely on PAM's default configuration without integrity monitoring.

What You Should Do Right Now

PamDOORa requires root access to install, so primary prevention is securing the paths to root. Secondary controls focus on detecting PAM tampering and removing the backdoor's operational effectiveness.

• Enforce SSH key-only authentication. Disable password-based SSH login by setting PasswordAuthentication no and ChallengeResponseAuthentication no in /etc/ssh/sshd_config. This removes the PamDOORa magic-password bypass from the attacker's toolkit entirely, because password authentication is the mechanism it exploits.

• Verify PAM module integrity immediately. Compare all .so files under /lib/security/ (or /lib64/security/) against checksums from your package manager:

“`bash # Debian/Ubuntu debsums libpam-modules

# RHEL/CentOS/Fedora rpm -V pam “` Any file that fails checksum validation should be treated as potentially compromised.

• Inspect PAM configuration files for unauthorized entries. Check /etc/pam.d/sshd and /etc/pam.d/common-auth for module references you did not configure:

“bash grep -r "include\|required\|sufficient\|optional" /etc/pam.d/ | grep -v "^#" “

• Deploy file integrity monitoring on PAM directories. Configure AIDE, Tripwire, or Wazuh to monitor /lib/security/, /lib64/security/, /usr/lib/security/, and /etc/pam.d/ for any modification. Alert immediately on unexpected file changes in these paths.

• Audit authentication logs for gaps. If PamDOORa is active, auth logs will have suspicious holes — successful SSH sessions that do not appear in /var/log/auth.log. Correlate SSH connection events (which may still appear in network logs or firewall logs) against PAM authentication entries to identify discrepancies.

• Check for unusual .so files in PAM module directories:

“bash ls -la /lib/security/ /lib64/security/ /usr/lib/security/ /usr/lib/x86_64-linux-gnu/security/ “ Unexpected filenames, recent modification timestamps, or file sizes inconsistent with known modules should prompt immediate investigation.

Background: Understanding PAM Backdoors

The PAM backdoor technique is not new — it has been documented in the security research literature for years and has appeared in several real-world incidents. What PamDOORa represents is the commercialization of a previously craft-level capability: it is no longer necessary for a threat actor to understand the internals of pam_sm_authenticate() to deploy a PAM backdoor, because the knowledge has been productized into a builder pipeline with pricing and customer support.

The 2023 "Plague" PAM backdoor and several nation-state intrusion campaigns documented by Palo Alto Unit 42 and Elastic Security Labs used variants of the same technique — demonstrating that PAM injection is a proven TTPs (tactics, techniques, and procedures) staple in advanced Linux intrusions. Nextron Systems published a detailed technical analysis of PAM backdoor variants in 2025, noting that even simple implementations of under 100 lines of C code can survive detection by endpoint security tools that focus primarily on Windows environments.

The reason PAM backdoors are particularly insidious is their placement in the trust hierarchy. Most endpoint detection and response (EDR) tools and security information and event management (SIEM) systems — the two primary security monitoring technologies in enterprise environments — are designed around Windows threat models. Linux coverage in commercial security products has improved but often lags. A malicious PAM module operating at the authentication layer can intercept credentials before they reach processes that EDR might monitor, and can tamper with logs that SIEM ingests.

The specific addition of anti-debugging protections in PamDOORa makes dynamic analysis in automated sandboxes less reliable, requiring human-led manual analysis to fully characterize the tool. This is consistent with a commercial product designed for operational use cases where detection resistance is a selling point.

For blue teams, the practical defensive posture is to treat PAM module directories as high-integrity zones equivalent to kernel modules: no unexpected files, no unexpected modifications, integrity-checked on every boot and continuously monitored at runtime.

Conclusion

PamDOORa is a commercially sold Linux backdoor that embeds into the PAM authentication stack to harvest SSH credentials, provide persistent magic-password access, and wipe audit logs — now available for $900 on a Russian cybercrime forum. No confirmed deployments have been reported yet, but the seven-week head start the tool has on public detection means defenders should assume it may already be present in compromised environments. Disable password-based SSH, verify PAM module integrity, and deploy file integrity monitoring on PAM directories today.