A sophisticated Linux backdoor, dubbed Plague, has recently emerged as a significant security concern for system administrators and cybersecurity professionals. Leveraging the trusted Pluggable Authentication Module (PAM) framework, Plague enables attackers to silently bypass authentication controls and maintain persistent SSH access to targeted Linux systems.
Technical Analysis
Malicious PAM Module Deployment
Plague is designed to integrate seamlessly into a system’s authentication stack by masquerading as a legitimate PAM module—often under names such as libselinux.so.8. Embedded at this critical point in the authentication process, it grants attackers covert access to the server, effectively intercepting and subverting standard login procedures.
Authentication Bypass and Persistence
Once deployed, Plague allows threat actors to authenticate using a static, hardcoded backdoor password or similar mechanism. This access route operates entirely outside the system’s normal logging and monitoring, enabling undetected, persistent SSH sessions. On successful login, Plague takes further steps to erase its presence: it scrubs relevant SSH environment variables and redirects command history logs (HISTFILE) to /dev/null, eliminating forensic evidence of its activity.
Advanced Stealth and Evasion Techniques
Modern detection tools are often unable to identify Plague due to its multi-layered evasion strategies:
- Obfuscated Code: Plague employs multiple string obfuscation methods, including XOR encoding and cryptographic routines, making static analysis and reverse engineering highly challenging for analysts.
- Anti-Debugging Measures: The backdoor checks for sandbox and debugging environments and takes steps to avoid detection by forensic tools and incident responders.
- Update Resilience: Plague’s integration at a privileged level means it can survive standard system updates and routine administrative intervention.
Undetected and Actively Developed
Remarkably, Plague there have been cases where the backdoor remained undetected for over a year—even when various samples were uploaded to public malware scanning services. As of August 2025, the vast majority of antivirus and endpoint protection solutions still do not flag Plague as malicious. The existence of multiple variants, optimized for different environments, suggests active ongoing development and testing by multiple threat actors.
