A newly discovered Linux backdoor, dubbed Plague, was embedded as a malicious PAM (Pluggable Authentication Module) component. Designed to silently bypass system authentication, Plague grants attackers persistent SSH access while evading all known antivirus detection and leaving minimal forensic traces. It has been in active development for at least a year, with samples dating back to mid-2024.
Plague integrates deeply into the Linux authentication stack by impersonating legitimate shared libraries like libselinux.so.8, ensuring it is loaded at login. It leverages multiple layers of obfuscation, including XOR, custom KSA/PRGA-like routines, and DRBG (Deterministic Random Bit Generator) to protect both strings and memory offsets. Antidebug checks prevent execution in monitored environments, and the implant clears SSH-related environment variables and shell history to remove evidence of attacker presence. Access is controlled via hardcoded static passwords, and the malware checks runtime conditions before activating, ensuring stealth in dynamic environments.