Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed **Plague** that has managed to evade detection for a year.’The implant is built as a malicious [PAM](https://www.redhat.com/en/blog/pluggable-authentication-modules-pam) (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,’ Nextron Systems researcher Pierre-Henri Pezier [said](https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/).Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems.Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can [enable](https://www.nextron-systems.com/2025/05/30/stealth-in-100-lines-analyzing-pam-backdoors-in-linux/) theft of user credentials, bypass authentication checks, and remain undetected by security tools. The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What’s more, the presence of several samples signals active development of the malware by the unknown threat actors behind it.Plague boasts of four prominent features: Static credentials to allow covert access, resist analysis and reverse engineering using anti-debugging and string obfuscation; and enhanced stealth by erasing evidence of an SSH session.This, in turn, is accomplished by unsetting environment variables such as [SSH_CONNECTION and SSH_CLIENT](https://en.wikibooks.org/wiki/OpenSSH/Client_Applications) using unsetenv, and redirecting [HISTFILE](https://www.redhat.com/en/blog/history-command) to /dev/null to prevent shell command logging, in order otherwise avoid leaving an audit trail.’Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces,’ Pezier noted. ‘Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.’ Found this article interesting? Follow us on [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), [Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.
Related Tags:
NAICS: 56 – Administrative And Support And Waste Management And Remediation Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 561 – Administrative And Support Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: The Hacker News
Modify Authentication Process: Pluggable Authentication Modules
Modify Authentication Process
Associated Indicators: