A new Linux backdoor named PamDOORa is being sold on cybercrime forums, which leverages the Pluggable Authentication Module (PAM) framework to provide persistent SSH access via a "magic password" and harvest credentials. This post-exploitation tool requires attackers to first gain root access before deploying it to tamper with authentication logs and maintain stealth. While there is no evidence of active exploitation, its PAM-based design and root-level operation pose a significant risk to Linux systems (x86_64).
Malware New PamDOORa Linux backdoor sold on cybercrime forum May 11, 2026 Share By SC Staff As reported by The Hacker News, cybersecurity researchers have uncovered a new Linux backdoor named PamDOORa, being sold for $1,600 on the Rehub Russian cybercrime forum by a threat actor known as "darkworm." This sophisticated tool leverages the Pluggable Authentication Module (PAM) framework to provide persistent SSH access and harvest credentials. PamDOORa functions as a post-exploitation toolkit, enabling attackers to gain persistent access to Linux systems (x86_64) through a "magic password" and a specific TCP port combination. As a PAM-based backdoor, it operates with root privileges, making it a significant security risk. PAM's modularity allows malicious modifications, which PamDOORa exploits to steal credentials from legitimate users and tamper with authentication logs to erase traces of its activity. This is the second Linux backdoor targeting the PAM stack, following Plague. While there is no current evidence of PamDOORa being used in real-world attacks, it is believed that attackers first gain root access through other means before deploying the backdoor. The seller, "darkworm," has reduced the price from $1,600 to $900, possibly due to a lack of buyer interest. Researchers note that PamDOORa represents an evolution in operator-grade tooling due to its integrated features and builder pipeline. Source: The Hacker News SC Staff Related Malware Australian organizations warned of Vidar Stealer malware campaign using ClickFix technique SC Staff May 8, 2026 Bleeping Computer reports that the Australian Cyber Security Center (ACSC) has issued a warning to organizations about an ongoing campaign that utilizes the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. Malware New Quasar Linux implant targets developers with rootkit and backdoor capabilities SC Staff May 8, 2026 QLNX is designed for stealth and long-term persistence, operating in-memory and employing multiple techniques to evade detection, including log wiping, process spoofing, and the use of seven distinct persistence mechanisms. Ransomware Iranian threat group used Chaos ransomware as a ‘false flag,’ researchers say Laura French May 7, 2026 The purported ransomware attack did not encrypt files and used infrastructure tied to MuddyWater. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds