PamDOORa backdoor harvests SSH credentials via PAM
Researchers disclosed PamDOORa, a PAM-based Linux backdoor sold on Rehub that captures SSH credentials, enables hidden root SSH access with a magic password and tampers logs.
Security researchers disclosed a new Linux backdoor called PamDOORa that is being advertised on the Rehub cybercrime forum. The seller uses the handle “darkworm.” The implant was first listed for sale on March 17, 2026, at $1,600 and the price was reduced to $900 by April 9. There is no public evidence the backdoor has been used in live attacks.
PamDOORa is implemented as a Pluggable Authentication Module, or PAM, that integrates with OpenSSH. The module is designed to run on x86_64 Linux systems and to let an attacker authenticate to a compromised host using a specific TCP port and a so-called magic password. Operators can use that combination to gain SSH access with root privileges while normal users continue to log in through the regular authentication path.
The module also captures credentials entered by legitimate users who authenticate through the compromised PAM stack. The implant includes features to alter or remove authentication log entries associated with malicious activity. Researchers who analyzed the code found anti-debugging measures, network-aware triggers and a builder pipeline that can produce configurable modules.
Flare.io researcher Assaf Morag described the tool in a technical report as a PAM-based post-exploitation backdoor that enables covert authentication to servers via OpenSSH and is designed to remain persistent on Linux systems. In the report he wrote: “While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories.”
PamDOORa appears to be intended for use after an attacker has already obtained root access to a host. In likely infection scenarios, an adversary gains root through another vulnerability or misconfiguration and then installs the PAM module to intercept future authentication attempts and capture credentials.
PamDOORa is the second known Linux backdoor to target PAM after an earlier implant called Plague. PAM is an authentication framework used on Unix and Linux systems that lets administrators add or change authentication methods without rewriting applications. PAM modules typically run with root privileges, and a compromised or malicious module can be used to capture credentials or create persistent access.
Security vendor Group-IB noted in September 2024 that PAM does not store passwords but passes authentication values in plaintext during a login attempt and that the pam_exec module can be abused to run external commands during authentication. That behavior can be used to obtain a privileged shell and to persist on a host.
Researchers recommend auditing PAM configuration files, monitoring PAM directories for unexpected modules, and restricting write access to PAM libraries and configuration files. They also advise regular review of authentication logs, integrity checks on PAM binaries, patching to prevent initial compromises, limiting privileged access and using host-based intrusion detection to help detect and block misuse of PAM modules.
