Linux PamDOORa Backdoor Exploits PAM to Steal SSH Credentials

Cybersecurity researchers have disclosed a previously unknown Linux backdoor called PamDOORa that is being actively advertised on the Russian cybercrime forum Rehub for $1,600 by a threat actor operating under the alias 'darkworm'. The malware is marketed as a ready‑to‑deploy PAM‑based credential harvester, suggesting it is aimed at actors seeking to compromise SSH‑based remote access in enterprise Linux environments.

Technically, PamDOORa is delivered as a compiled PAM module named 'pam_pamdoor.so' and is typically dropped into the '/usr/lib/security/' directory. Upon insertion into the PAM stack—most commonly by adding a line to '/etc/pam.d/sshd'—the module hooks the 'pam_authenticate' function and captures plaintext passwords and optional SSH key passphrases as they are entered. The harvested credentials are then encrypted with a simple XOR scheme and exfiltrated to a remote server via an HTTP POST request. The backdoor also contains a small reverse‑shell payload that can be triggered by a special environment variable, allowing the attacker to obtain an interactive session on the compromised host.

Detection of PamDOORa hinges on identifying anomalies in the PAM configuration and the filesystem. Key indicators of compromise include the presence of an unexpected library file in '/usr/lib/security/', unauthorized additions to PAM configuration files such as 'account required pam_pamdoor.so', and outbound HTTP traffic to an unknown IP on port 80. Security teams should employ file‑integrity monitoring tools like AIDE or Tripwire to track changes to PAM binaries, review '/var/log/auth.log' for suspicious authentication events, and enforce strict module‑loading policies via AppArmor or SELinux. Implementing two‑factor authentication for SSH, disabling root login, and regularly auditing the PAM stack for unauthorized modules further reduce the risk of successful deployment.

The seller, 'darkworm', has a history of peddling lightweight crime‑ware in Russian‑language underground markets, and the $1,600 price tag positions PamDOORa as a niche tool for targeted intrusions rather than mass exploitation. While the malware is not currently linked to a specific high‑profile campaign, its ability to harvest SSH credentials makes it attractive for supply‑chain compromises if bundled with software updates or repositories. Law‑enforcement agencies are monitoring the Rehub forum, and defenders are advised to apply the latest patches, restrict repository access, and monitor for the IOCs listed in the associated threat‑intel advisory.