Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 18, 2026 | 14:28 UTC
3997 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Thirumala Rao Padilam Thirumala Rao Padilam May 8, 2026
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Cybersecurity researchers have uncovered a new Linux backdoor named PamDOORa that is advertised on a Russian cybercrime forum. The backdoor utilizes Pluggable Authentication Modules (PAM) to enable persistent unauthorized SSH access using a secret password and a designated TCP port.

What happened

Researchers disclosed details of PamDOORa, a Linux backdoor offered for sale by a threat actor known as "darkworm" on the Rehub Russian cybercrime forum. This malicious toolkit operates as a PAM module, providing attackers with a stealthy method to maintain SSH access on compromised systems post-exploitation. It relies on a combination of a magic password and a specific TCP port to gain entry and persist within targeted machines.

Why it matters

The use of PAM modules for backdoor implementation is significant because PAM is integral to Linux system authentication. By embedding malicious functionality into this authentication framework, PamDOORa can bypass conventional detection methods and maintain long-term control over Linux servers. This poses risks for organizations relying on SSH for secure remote administration, as attackers could gain undetected access to critical infrastructure.

What security teams should do

Security teams should review their Linux systems for unauthorized or suspicious PAM modules and monitor SSH login attempts for unusual passwords or connections on uncommon ports. System administrators are advised to verify the integrity of PAM configurations and restrict access to installed modules to prevent unauthorized modifications. Additionally, the use of intrusion detection systems that can alert on anomalies in authentication processes may help in early identification of infections.

Key technical details

PamDOORa is a post-exploitation toolkit designed as a Pluggable Authentication Module (PAM) that integrates into the Linux authentication stack. It grants persistent SSH access by recognizing a magic password provided over a specified TCP port. Once activated, this mechanism circumvents normal authentication controls, allowing remote attackers to log in without standard credentials. The backdoor is commercially available on the Rehub Russian cybercrime forum for $1,600 and is promoted by an actor named "darkworm."

Affected organizations/products

The backdoor targets Linux systems using PAM for authentication and SSH for remote access. No specific Linux distributions or versions have been detailed in the disclosure.

Source attribution

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!