{"id":6955,"date":"2026-05-08T12:17:29","date_gmt":"2026-05-08T12:17:29","guid":{"rendered":"https:\/\/delimiter.online\/blog\/linux-backdoor-pam\/"},"modified":"2026-05-08T12:17:29","modified_gmt":"2026-05-08T12:17:29","slug":"linux-backdoor-pam","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/linux-backdoor-pam\/","title":{"rendered":"New Linux Backdoor PamDOORa Steals SSH Credentials via PAM"},"content":{"rendered":"

A newly identified Linux backdoor<\/a>, named PamDOORa, is being sold on a Russian-language cybercrime forum for $1,600. The tool allows attackers to maintain persistent access to compromised systems and steal authentication credentials.<\/p>\n

Cybersecurity researchers have disclosed details of a backdoor called PamDOORa, which is being marketed on the Rehub Russian cybercrime forum. The seller, a threat actor known as \u201cdarkworm,\u201d is offering the tool for $1,600. The backdoor is designed as a post-exploitation toolkit that functions as a Pluggable Authentication Module (PAM) for Linux systems.<\/p>\n

PAM is a standard Linux security<\/a> mechanism that allows system administrators to integrate different authentication methods. It is commonly used for login processes and system access control. The PamDOORa backdoor exploits this legitimate framework to remain hidden on an infected system.<\/p>\n

The primary function of PamDOORa is to enable persistent SSH access. Attackers can connect to a compromised system using a specific magic password and a designated TCP port combination. This method grants unauthorized remote access without raising standard security alerts.<\/p>\n

The backdoor is also capable of harvesting SSH credentials<\/a> directly from the system. It intercepts login attempts, capturing both usernames and passwords. These stolen credentials can be used for lateral movement across a network or for further exploitation of other systems.<\/p>\n

The sale of such tools on underground forums highlights the ongoing trade in specialized malicious software. Researchers noted that the $1,600 price point suggests the backdoor is likely intended for use by financially motivated cybercriminals or advanced persistent threat groups.<\/p>\n

The technical design of PamDOORa allows it to evade detection by many security solutions. Because it operates as a legitimate PAM module, it can blend into normal system processes. This makes identification and removal more challenging for network defenders.<\/p>\n

The threat actor \u201cdarkworm\u201d has been active on the Rehub forum, which is known for hosting discussions on cybercrime tools and services. The forum provides a marketplace where malicious software developers can sell their creations directly to other criminals.<\/p>\n

Organizations are advised to review their Linux server configurations for any unauthorized PAM modules. Monitoring SSH logs for unusual connection attempts or unexpected authentication patterns can help detect potential compromises. Implementing strict access controls and using multi-factor authentication are recommended mitigation strategies.<\/p>\n

Experts emphasize that the use of PAM for malicious purposes is not entirely new, but the targeted design of PamDOORa for credential theft represents a concerning development. The tool\u2019s ability to provide stealthy backdoor access increases the risk of data breaches and network intrusions.<\/p>\n

Looking ahead, security teams should expect similar tools to appear in underground markets. The success of PamDOORa may encourage other developers to create PAM-based backdoors. Continued monitoring of cybercrime forums and threat intelligence sharing will be essential for staying ahead of these evolving threats.<\/p>\n

Source: Delimiter Online<\/p>\n","protected":false},"excerpt":{"rendered":"

A newly identified Linux backdoor, named PamDOORa, is being sold on a Russian-language cybercrime forum for $1,600. The tool allows attackers to maintain persistent access to compromised systems and steal authentication credentials. Cybersecurity researchers have disclosed details of a backdoor called PamDOORa, which is being marketed on the Rehub Russian cybercrime forum. The seller, a […]<\/p>\n","protected":false},"author":1,"featured_media":6956,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[7183,785,2165,8159,8160],"class_list":["post-6955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-backdoor","tag-cybercrime","tag-linux-security","tag-pam","tag-ssh-credentials"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=6955"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6955\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/6956"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=6955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=6955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=6955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}