Security researchers have discovered a sophisticated Linux backdoor named Plague that has remained undetected by antivirus engines for months, raising concerns over stealthy persistence mechanisms targeting critical systems.
The malware was identified by Pierre-Henri Pezier, a researcher at Nextron Threat, who revealed that the implant operates as a malicious Pluggable Authentication Module (PAM), enabling attackers to bypass system authentication and maintain persistent SSH access without triggering alerts.
“The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” said Pezier.
According to Nextron’s analysis, Plague integrates deeply into the Linux authentication stack, survives system updates, and leaves minimal forensic evidence, making detection extremely difficult with conventional tools.
A Backdoor Built for Stealth and Persistence
The Plague malware has been uploaded to VirusTotal multiple times over the past year. However, not a single antivirus engine flagged it as malicious, and no public detection rules exist for this threat.
Pezier explained that the backdoor employs layered obfuscation and environment tampering to hide its presence. The name “Plague” was inspired by a line in the 1995 movie Hackers, found in the deobfuscated code:
“Uh. Mr. The Plague, sir? I think we have a hacker.”
As a malicious PAM, Plague uses advanced evasion techniques, including:
- Hiding session logs to avoid forensic analysis.
- Custom string obfuscation for detection resistance.
- Using legitimate library names like
libselinux.so.8for concealment. - Hardcoded passwords for easy attacker access.
Additionally, the malware sanitizes the runtime environment by unsetting variables such as SSH_CONNECTION and SSH_CLIENT using unsetenv, and redirects HISTFILE to /dev/null to erase shell history.
“This operation ensures that no audit trail or login metadata is retained, effectively erasing the attacker’s footprint from both interactive sessions and system history logs,” Pezier noted.
Why Plague Poses a Serious Risk
PAMs play a critical role in Linux authentication by allowing modular login mechanisms without altering the core application. A compromised PAM module effectively gives attackers full control over authentication, enabling:
- Theft of user credentials.
- Bypassing of multi-factor or standard authentication.
- Persistent access without detection.
At present, there are no confirmed reports of Plague being actively deployed in the wild, but Nextron warns that it represents a serious and evolving threat to Linux infrastructure.
“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence,” Pezier concluded.
