Security researchers disclosed on May 8, 2026, a commercial Linux backdoor called PamDOORa that exploits the Pluggable Authentication Module framework to install covert SSH access on x86_64 Linux systems, harvest credentials from every user who authenticates on a compromised host, and systematically delete authentication logs to obstruct forensic investigation — sold on the Russian Rehub cybercrime forum for up to $1,600.
PamDOORa Advertised on Rehub Forum by Seller “darkworm” at $1,600, Later Discounted to $900
PamDOORa first appeared on the Russian Rehub cybercrime forum listed by an operator using the handle “darkworm.” Initial pricing was $1,600; by April 9, 2026, the asking price had been reduced to $900. The commercial availability, dedicated marketplace listing, and price point indicate the tool was developed for distribution to criminal operators seeking capable post-exploitation tools rather than as a research proof-of-concept or internal-use implant.
The tool targets x86_64 Linux systems and integrates at the PAM layer — the framework used by most major Linux distributions to handle authentication for SSH, login, sudo, and other access-control mechanisms. Targeting this layer gives PamDOORa access to every authentication event on the host, regardless of the service or user account involved.
How PamDOORa Installs Persistent SSH Access and Passively Harvests All User Credentials
Once deployed, PamDOORa modifies the PAM module stack to intercept all authentication events on the compromised system. Operators access the machine via SSH using a predetermined “magic password” combined with specific TCP port sequences — a covert mechanism that does not appear in standard authentication logs and cannot be discovered through audits of authorized SSH keys, user account lists, or conventional access control reviews.
Every legitimate user who subsequently authenticates through the compromised PAM stack — whether via SSH, local login, sudo, or any other PAM-integrated service — has their credentials silently captured and made available to the operator. The passive harvesting design means that over time PamDOORa accumulates a growing inventory of valid credentials from all accounts active on the host, creating pathways for lateral movement within the same network or unauthorized access to external services associated with those credentials.
Anti-Forensics: Systematic Deletion of Authentication Logs Hampers Investigation
PamDOORa implements deliberate, systematic deletion of authentication logs — the records that security operations teams and forensic investigators rely on to reconstruct access timelines and identify unauthorized login events. By removing these records, the backdoor extends its operational window and degrades the evidence available to responders even if the compromise is eventually detected through behavioral anomalies or external signals.
Additional capabilities documented by researchers include anti-debugging features that complicate dynamic analysis and network-aware triggers that allow conditional behavior based on network conditions. The combination of these capabilities indicates an operator-grade design — prioritizing operational security, persistence, and anti-detection over simplicity or portability.
PamDOORa Joins “Plague” as the Second Known Commercial PAM-Targeting Backdoor
Researchers noted that PamDOORa is only the second known commercial backdoor designed to exploit the PAM framework, following a predecessor tool called “Plague.” The emergence of a second commercially available PAM backdoor available through underground markets indicates growing demand among criminal operators for persistent, low-visibility Linux implants capable of surviving conventional endpoint security measures.
PAM-level compromise is particularly durable because it integrates directly into the operating system’s authentication infrastructure. Detection requires active inspection of PAM module files and configuration rather than standard process monitoring or network traffic analysis. Conventional endpoint detection tools that look for suspicious processes, unusual network connections, or file system anomalies may not flag a PAM modification unless specifically configured to monitor authentication module integrity.
No confirmed real-world attacks had been attributed to PamDOORa at the time of disclosure. The active commercial listing at a reduced price point, however, implies ongoing demand from operators seeking to deploy it. Security teams managing x86_64 Linux infrastructure — particularly internet-accessible SSH servers — should verify the integrity of installed PAM modules against known-good baselines, review PAM configuration files for unauthorized entries, and investigate any systems that have experienced unexplained authentication anomalies or log gaps as potential PamDOORa compromise candidates.
