$1,600. That is the price tag attached to a newly disclosed Linux backdoor called PamDOORa, being offered on the Rehub Russian cybercrime forum by a threat actor using the name "darkworm."
PamDOORa: a PAM-based post-exploitation toolkit
Cybersecurity researchers have disclosed details of PamDOORa, a backdoor that is built around Pluggable Authentication Module (PAM) components. The disclosure characterizes PamDOORa explicitly as a PAM-based post-exploitation toolkit, meaning its design leverages PAM modules as part of its operational model.
Persistent SSH access by a magic password and TCP port
According to the disclosure, PamDOORa enables persistent SSH access through a combination of two factors: a "magic" password and a specific TCP port. The advertised capability ties authentication bypass or covert unlocking of SSH to that password-and-port pairing, allowing the toolkit to maintain access after initial compromise.
For sale on Rehub by "darkworm"
The offering for PamDOORa appears on Rehub, identified in the disclosure as a Russian cybercrime forum. The seller is named in the advertisement as "darkworm," and the listed price for the toolkit is $1,600. The presence of a private sale posting on a public criminal forum is a central fact in the researchers' disclosure.
What this means for security teams, procurement leaders, and adversaries
- Security teams and system administrators: The disclosure flags a capability that targets SSH authentication pathways and uses PAM components; teams responsible for SSH deployments and authentication modules will want to be aware that a PAM-based toolkit is being marketed.
- Procurement leaders and enterprise IT: The availability of a packaged, paid backdoor — advertised at $1,600 — underscores that such tooling can be acquired on cybercrime forums rather than developed internally, a fact that intersects with risk assessments tied to supply and actor access.
- Adversaries and threat actors: The advertisement by "darkworm" demonstrates that a PAM-centered post-exploitation approach is part of the toolkit market being offered for purchase, signaling a commercial option for maintaining SSH access after compromise.
Commercial availability raises a concrete question
The researchers' disclosure establishes three clear facts: the backdoor is named PamDOORa, it is PAM-based and designed to persistently access SSH via a magic password and TCP port, and it is being advertised on Rehub for $1,600 by an actor calling themselves "darkworm." Taken together, those facts mark PamDOORa as a commercially offered exploit tool focused on authentication layers. What remains open from the disclosure is the scope of its deployment in the wild — how many systems, if any, are already backdoored using PamDOORa and where those compromises may have occurred.




