A new Linux malware sample called *Plague*, discovered by Nextron Systems, has remained undetected for over a year. It provides stealth SSH access to compromised systems, bypasses authentication, and obliterates all digital traces of the attacker.
Plague is a malicious PAM (Pluggable Authentication Module) authentication module designed to deeply integrate into a Linux system. Thanks to multi-layered obfuscation, runtime hiding, and analytical sabotage, this backdoor avoids detection by traditional security tools.
Among its functions:
Plague is able to survive system updates while maintaining constant access to servers. During the study, compilation artifacts were found for different Linux distributions with different versions of GCC, which indicates a long period of active development.
This is not the first attack using PAM. In May 2025, Nextron discovered similar samples of malicious code that used PAM modules to steal credentials. But *Plague* is much more sophisticated. Antivirus systems on VirusTotal failed to recognize it as a threat for a year — no engine registered suspicion.
This indicates a high level of awareness of developers about workarounds, analytics, and methods of hiding backdoors in the legitimate authorization stack.
Plague is a silent killer in the Linux backdoor world, avoiding any logging, remaining present after updates, and leaving no trace in the system. If your system is running Linux, it’s time to review your security measures. Use tools with full PAM analysis support and firewalls that monitor for unusual SSH sessions.
