Skip to main content
Emerging ThreatsMalware & Ransomware

Linux Backdoor Exploits PAM Modules to Harvest SSH Credentials

Dusty server room with Linux server at center, surrounded by cables and equipment under flickering fluorescent light.

$1,600. That is the price tag attached to a newly disclosed Linux backdoor called PamDOORa, being offered on the Rehub Russian cybercrime forum by a threat actor using the name "darkworm."

PamDOORa: a PAM-based post-exploitation toolkit

Cybersecurity researchers have disclosed details of PamDOORa, a backdoor that is built around Pluggable Authentication Module (PAM) components. The disclosure characterizes PamDOORa explicitly as a PAM-based post-exploitation toolkit, meaning its design leverages PAM modules as part of its operational model.

Persistent SSH access by a magic password and TCP port

According to the disclosure, PamDOORa enables persistent SSH access through a combination of two factors: a "magic" password and a specific TCP port. The advertised capability ties authentication bypass or covert unlocking of SSH to that password-and-port pairing, allowing the toolkit to maintain access after initial compromise.

For sale on Rehub by "darkworm"

The offering for PamDOORa appears on Rehub, identified in the disclosure as a Russian cybercrime forum. The seller is named in the advertisement as "darkworm," and the listed price for the toolkit is $1,600. The presence of a private sale posting on a public criminal forum is a central fact in the researchers' disclosure.

What this means for security teams, procurement leaders, and adversaries

  • Security teams and system administrators: The disclosure flags a capability that targets SSH authentication pathways and uses PAM components; teams responsible for SSH deployments and authentication modules will want to be aware that a PAM-based toolkit is being marketed.
  • Procurement leaders and enterprise IT: The availability of a packaged, paid backdoor — advertised at $1,600 — underscores that such tooling can be acquired on cybercrime forums rather than developed internally, a fact that intersects with risk assessments tied to supply and actor access.
  • Adversaries and threat actors: The advertisement by "darkworm" demonstrates that a PAM-centered post-exploitation approach is part of the toolkit market being offered for purchase, signaling a commercial option for maintaining SSH access after compromise.

Commercial availability raises a concrete question

The researchers' disclosure establishes three clear facts: the backdoor is named PamDOORa, it is PAM-based and designed to persistently access SSH via a magic password and TCP port, and it is being advertised on Rehub for $1,600 by an actor calling themselves "darkworm." Taken together, those facts mark PamDOORa as a commercially offered exploit tool focused on authentication layers. What remains open from the disclosure is the scope of its deployment in the wild — how many systems, if any, are already backdoored using PamDOORa and where those compromises may have occurred.

Original story