Plague is a newly identified Linux backdoor that silently bypasses system authentication. It functions as a malicious PAM, enabling persistent SSH access for attackers. The malware has evaded detection by antivirus tools since July 2024, with multiple samples showing ongoing development by unknown threat actors. Plague includes features for static credentials, anti-debugging, string obfuscation, and stealth tactics like erasing SSH session evidence. These characteristics allow it to integrate into the authentication stack, survive updates, and leave minimal forensic traces, complicating detection efforts.
The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.
Plague boasts of four prominent features: Static credentials to allow covert access, resist analysis and reverse engineering using anti-debugging and string obfuscation; and enhanced stealth by erasing evidence of an SSH session.
Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces.
The presence of several samples signals active development of the malware by the unknown threat actors behind it.
Collection
[
|
...
]