How does PamDOORa maintain persistence?

PamDOORa maintains persistence by using a magic password and specific TCP port combination, allowing unauthorized SSH access even after system reboots.

What are the implications of PamDOORa's anti-forensic capabilities?

PamDOORa's anti-forensic features allow it to tamper with authentication logs, making it challenging to detect unauthorized access and complicating incident response efforts.

PamDOORa: A New Threat to Linux Authentication Security

Explore the emergence of PamDOORa, a sophisticated Linux backdoor exploiting PAM modules to steal SSH credentials and maintain persistent access.

Published: May 8, 2026

Share this on:

Executive Summary

In May 2026, cybersecurity researchers uncovered a new Linux backdoor named PamDOORa, advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor known as "darkworm." PamDOORa is a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access through a magic password and specific TCP port combination. Additionally, it can harvest credentials from all legitimate users who authenticate through the compromised system. The backdoor also incorporates anti-forensic capabilities to tamper with authentication logs, effectively erasing traces of malicious activity.

The emergence of PamDOORa highlights a growing trend of sophisticated Linux-based malware targeting authentication mechanisms to establish persistent access and exfiltrate sensitive credentials. This development underscores the need for organizations to implement robust monitoring and auditing of authentication processes to detect and mitigate such threats.

Why This Matters Now

The discovery of PamDOORa underscores the increasing sophistication of Linux-based malware targeting authentication mechanisms, emphasizing the urgent need for organizations to enhance monitoring and auditing of authentication processes to detect and mitigate such threats.

Attack Path Analysis

The attacker gains initial access by exploiting a vulnerability or misconfiguration to install the PamDOORa backdoor. They escalate privileges by modifying the PAM system to accept a hardcoded password, allowing unauthorized SSH access. The attacker moves laterally by using the backdoor to access other systems within the network. They establish command and control by maintaining persistent SSH access through the backdoor. The attacker exfiltrates sensitive data by leveraging the backdoor to transfer files. Finally, they impact the system by potentially deploying additional malware or creating further persistence mechanisms.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

High

Exfiltration

Medium

Impact

Low

Initial Compromise

Description

The attacker gains initial access by exploiting a vulnerability or misconfiguration to install the PamDOORa backdoor.

Confidence:

Medium

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Persistence

T1546.003

Pluggable Authentication Modules

Execution

T1059.004

Unix Shell

Command and Control

T1071.001

Web Protocols

Lateral Movement

T1021.004

SSH

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Authentication

Control ID: 8.2.1

The use of a backdoor exploiting PAM modules to steal SSH credentials indicates a failure to implement secure authentication mechanisms, compromising cardholder data environments.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals deficiencies in the institution's cybersecurity policy, particularly in monitoring and controlling access to sensitive systems, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of PAM modules for unauthorized access suggests inadequate ICT risk management practices, violating DORA's requirements for financial entities to manage ICT risks effectively.

CISA ZTMM 2.0 – Zero Trust Architecture

Control ID: Identity and Access Management

The backdoor's method of maintaining persistent SSH access indicates a failure to implement Zero Trust principles, particularly in identity and access management, as outlined in CISA's Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a lack of appropriate cybersecurity risk management measures, as required by the NIS2 Directive, potentially affecting the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

PamDOORa backdoor targeting Linux PAM modules creates critical SSH credential theft risks for IT infrastructure, requiring enhanced egress security and zero trust segmentation.

Financial Services

Banking systems using Linux SSH access face persistent backdoor threats compromising authentication modules, demanding immediate NIST compliance upgrades and lateral movement protection.

Health Care / Life Sciences

Healthcare Linux servers vulnerable to PAM-based credential harvesting attacks threaten HIPAA compliance, requiring encrypted traffic monitoring and anomaly detection implementations.

Government Administration

Government Linux infrastructure exposed to Russian cybercrime forum backdoor sales creates national security risks requiring multicloud visibility and threat detection capabilities.

Sources

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentialshttps://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html
Verified

How ‘Plague’ infiltrated Linux systems without leaving a tracehttps://www.csoonline.com/article/4033499/how-plague-infiltrated-linux-systems-without-leaving-a-trace.html

Verified

New Linux backdoor Plague bypasses auth via malicious PAM modulehttps://securityaffairs.com/180701/malware/new-linux-backdoor-plague-bypasses-auth-via-malicious-pam-module.html

Verified

Frequently Asked Questions

PamDOORa is a Linux backdoor that utilizes Pluggable Authentication Modules (PAM) to enable persistent SSH access and steal user credentials.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may be constrained by reducing the exposure of vulnerable services through enforced segmentation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could be limited by restricting access to critical systems through strict segmentation policies.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may be constrained by monitoring and controlling east-west traffic within the network.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels could be detected and disrupted through enhanced visibility and control across multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may be limited by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The attacker's ability to deploy additional malware or establish persistence could be constrained by limiting access to critical systems and monitoring for unauthorized changes.

Impact at a Glance

Affected Business Functions

User Authentication
System Access Control
Credential Management

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of SSH credentials and user authentication data.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized access and limit lateral movement.
• Deploy East-West Traffic Security to monitor and control internal network communications.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

PamDOORa: A New Threat to Linux Authentication Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Pluggable Authentication Modules

Unix Shell

Web Protocols

SSH

Potential Compliance Exposure

PCI DSS 4.0 – Secure Authentication

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Zero Trust Architecture

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Financial Services

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads