A sophisticated Linux backdoor dubbed Plague has emerged as an unprecedented threat to enterprise security, evading detection across all major antivirus engines while establishing persistent SSH access through manipulation of core authentication mechanisms.Discovered by cybersecurity researchers at Nextron Systems, this malware represents a paradigm shift in Linux-targeted attacks, exploiting Pluggable Authentication Modules (PAM) to achieve near-perfect stealth and system-level persistence.The malware’s most alarming characteristic is its complete invisibility to traditional security measures. Despite multiple variants being uploaded to VirusTotal over the past year, zero antivirus engines flagged any samples as malicious, achieving a perfect 0/66 detection rate. Malware undetectedThis unprecedented evasion capability stems from its integration into Linux’s fundamental authentication infrastructure, where it operates as a legitimate PAM module while subverting security controls.**Plague Malware Evasion Mechanisms**————————————-Plague operates through a multi-layered approach that combines advanced obfuscation with system-level manipulation. The malware employs evolving string obfuscation techniques that have progressed from simple [XOR-based encryption](https://cybersecuritynews.com/powerful-ddos-malware-attack/) to sophisticated multi-stage algorithms incorporating Key Scheduling Algorithm (KSA), Pseudo-Random Generation Algorithm (PRGA), and Deterministic Random Bit Generator (DRBG) layers. This progression reflects continuous development by threat actors to stay ahead of analysis tools.The malware’s antidebug mechanisms verify that the binary maintains its expected filename `libselinux.so.8` and checks for the absence of `ld.so.preload` in environment variables.These checks enable the malware to detect sandbox environments and debuggers that commonly rename binaries or utilize preloading mechanisms for analysis, reads the Nextron [report](https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/).Such techniques align with established antidebug methodologies where malware verifies execution environment integrity before activating malicious functionality.  AntidebugString encryption represents a critical component of Plague’s stealth capabilities. Initial samples utilized basic XOR operations, where each byte undergoes bitwise exclusive-or with a predetermined key.However, recent variants have adopted RC4-like implementations featuring custom KSA and PRGA routines. The KSA phase initializes a 256-byte state array through key-dependent permutations, while PRGA generates a pseudorandom keystream for decrypting obfuscated strings during runtime.Plague achieves persistence by masquerading as a legitimate [PAM module](https://cybersecuritynews.com/yubico-pam-module-vulnerability-let-attackers-bypass-authentications/), specifically targeting the `pam_sm_authenticate()` function responsible for user credential verification.This approach exploits PAM’s modular architecture, where authentication processes load shared libraries dynamically based on configuration files in `/etc/pam.d/`. By positioning itself within this trusted execution path, Plague gains access to plaintext credentials and authentication decisions.The malware implements static password [authentication](https://cybersecuritynews.com/authentication/), allowing attackers to bypass normal credential verification through hardcoded backdoor passwords.This technique mirrors documented PAM backdoor methodologies where malicious modules return `PAM_SUCCESS` unconditionally for specific credential combinations. The implant’s integration into the authentication stack ensures it survives system updates and operates with elevated privileges inherent to authentication processes.Plague demonstrates a sophisticated understanding of [Linux forensic](https://cybersecuritynews.com/free-forensic-investigation-tools/) artifacts through comprehensive session stealth mechanisms. The malware systematically removes evidence of SSH connections by unsetting critical environment variables, including `SSH_CONNECTION`, `SSH_CLIENT`, and `SSH_TTY`.These variables normally contain connection metadata such as client IP addresses, port numbers, and terminal information that system administrators rely on for audit trails.Additionally, Plague redirects the `HISTFILE` environment variable to `/dev/null`, effectively preventing shell command history from being recorded.This technique ensures that attacker activities leave no trace in bash history files, which are commonly examined during incident response. The malware’s knowledge of Linux forensic procedures suggests development by actors with significant operational security expertise.Analysis of compilation artifacts reveals active, sustained development spanning multiple environments and timeframes. Seven distinct samples compiled between July 2024 and March 2025 demonstrate continuous refinement, with compiler metadata indicating builds on Debian, Ubuntu, and Red Hat systems.The geographic distribution of VirusTotal submissions primarily from the United States, with one sample from China, suggests either widespread deployment or deliberate misdirection.The malware contains a cultural reference to the 1995 film ‘Hackers,’ displaying the message ‘Uh. Mr. The Plague, sir? I think we have a hacker.’ after successful authentication bypass.This easter egg, visible only after deobfuscation, provides insight into the threat actors’ cultural background and potentially their attribution to Western threat groups familiar with classic hacker culture.Plague’s emergence highlights critical [vulnerabilities](https://cybersecuritynews.com/defending-against-owasp-top-10-vulnerabilities/) in traditional endpoint security approaches that rely heavily on signature-based detection.The malware’s ability to achieve zero detection across 66 antivirus engines demonstrates the limitations of conventional security tools when faced with novel attack vectors that exploit trusted system components.The targeting of PAM infrastructure represents a strategic evolution in Linux malware, moving beyond application-layer attacks to focus on foundational system components.This approach enables attackers to maintain access regardless of application updates or security patches, as the authentication layer remains consistently vulnerable. Security teams must implement PAM module integrity checking and monitor authentication subsystem modifications to detect similar threats.Organizations should immediately audit PAM configurations, verify the integrity of [authentication](https://cybersecuritynews.com/authentication/) modules, and implement monitoring for suspicious authentication patterns.The malware’s sophistication indicates state-level or advanced persistent threat capabilities, warranting elevated security postures for critical infrastructure and defense contractors.**Integrate **ANY.RUN TI Lookup** with your SIEM or SOAR To Analyses Advanced Threats**` -> `**[Try 50 Free Trial Searches](https://intelligence.any.run/plans?utm_source=csn_jul&utm_medium=atricle&utm_campaign=want-to-detect-incidents-before&utm_content=plans1&utm_term=290725)**The post [New Undectable Plague Malware Attacking Linux Servers to Gain Persistent SSH Access](https://cybersecuritynews.com/plague-malware-attacking-linux-servers/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Blog: Cybersecurity News
Encrypted Channel: Symmetric Cryptography
Encrypted Channel
Associated Indicators: