556
A new Linux malware known as “Plague” has recently come to the attention of cybersecurity experts. This malware, classified as a Linux backdoor, managed to remain undetected for almost a year.
Plague Linux Malware Establishes Persistent Access
Researchers from Nextron have provided insights into the Plague malware – a stealthy Linux backdoor – in a recent article.
According to the researchers, the Plague malware was initially uploaded to VirusTotal almost a year ago but went unnoticed by anti-malware programs. This highlights its ability to evade detection and establish a potent backdoor into Linux systems. Despite several iterations of the malware appearing over time, all managed to evade detection.
The researchers attribute the malware’s stealth to its use of PAM (Pluggable Authentication Module), which allows it to bypass system authentication and maintain persistent SSH access. The malware integrates deeply within the target system to avoid system updates, employs heavy obfuscation and environment tampering to evade security measures, and uses encryption techniques like XOR, KSA, PRGA, and DRBG to hide its activities.
Noteworthy features of the Plague malware include anti-debug capabilities, the ability to delete SSH session traces, escape forensic detection, and maintain persistent access through hardcoded static passwords.
PAM-Based Malware Poses a Serious Threat to Linux Security
Plague is not the first malware to exploit PAM for targeting Linux systems. In May 2025, Nextron researchers discovered another backdoor using PAM to avoid detection. These backdoors pose risks such as password theft and data exfiltration, emphasizing the need for enhanced security measures on Linux systems.
In addition to PAM-based malware, threat actors have developed other strategies to evade detection on Linux systems, such as sedexp and CronRAT malware. To combat stealthy malware like Plague, experts recommend using YARA-based hunting and behavioral analysis to scan core Linux systems.
Share your thoughts in the comments section below.
Stay updated on this post category in real-time on your device. Subscribe now for notifications.
