PamDOORa PAM Backdoor Sold on Russian Forum Enables SSH Persistence and Credential Harvesting

TL;DR — A Linux backdoor named PamDOORa is being sold on the Rehub Russian cybercrime forum by a threat actor called "darkworm" for $900 (reduced from $1,600). The backdoor leverages Pluggable Authentication Modules (PAM) to enable persistent SSH access, harvest credentials, and tamper with authentication logs. No real-world deployments have been confirmed.

What happened

Cybersecurity researchers at Flare.io have documented a new Linux backdoor, PamDOORa, marketed on the Rehub Russian cybercrime forum. The threat actor "darkworm" initially listed the tool for $1,600 on March 17, 2026, then reduced the price by approximately 50% to $900 by April 9, 2026.

PamDOORa is designed as a PAM-based post-exploitation toolkit. According to Flare.io researcher Assaf Morag, the backdoor enables authentication to servers via OpenSSH and is intended to persist on Linux x86_64 systems. The tool functions by accepting a magic password and specific TCP port combination to grant SSH access to compromised hosts.

Beyond access provisioning, PamDOORa can harvest credentials from all legitimate users who authenticate through the compromised system. The backdoor also incorporates anti-forensic capabilities to tamper with authentication logs and erase traces of malicious activity.

Group-IB previously documented in September 2024 how PAM misuse can create security vulnerabilities. The pam_exec module, which allows execution of external commands, can be exploited to inject malicious scripts into PAM configuration files. PamDOORa follows an earlier PAM-based backdoor named Plague, marking it as the second known Linux backdoor to target the PAM stack.

Morag characterized PamDOORa as an evolution over existing open-source PAM backdoors. While individual techniques such as PAM hooks, credential capture, and log tampering are documented, their integration into a modular implant with anti-debugging and network-aware triggers represents more sophisticated tooling than typical public proof-of-concept scripts.

Why it matters

PAM is a foundational authentication framework in Unix and Linux systems. PAM modules execute with root privileges by design, allowing administrators to implement multiple authentication mechanisms without rewriting applications. This architectural strength becomes a critical weakness when a PAM module is compromised or malicious.

For defenders and system administrators, PamDOORa demonstrates a direct attack surface: if an adversary gains root access to a Linux system, they can deploy a malicious PAM module to harvest every credential entered by legitimate users during authentication. This occurs at the system level, below most application-layer detection mechanisms.

The anti-forensic capabilities present a secondary threat to incident response. Organizations relying on SSH authentication logs to detect unauthorized access or lateral movement may find their audit trail deliberately erased, complicating breach investigation and threat attribution.

The pricing reduction from $1,600 to $900 may indicate either declining interest or an acceleration strategy. Either trajectory suggests the tool is entering broader availability within criminal marketplaces.

Affected systems and CVEs

Linux (x86_64)
OpenSSH
PAM (Pluggable Authentication Modules)

No CVE assigned at the time of publication.

What to do

Implement strict monitoring of PAM configuration files (/etc/pam.d/) for unauthorized modifications, particularly changes to pam_exec module entries.
Restrict root-level access and enforce the principle of least privilege across systems and user accounts.
Enable comprehensive authentication and system logging to detect unauthorized SSH access attempts or anomalous authentication patterns.
Monitor for suspicious pam_exec module usage in PAM configurations and review legitimacy of any external scripts referenced.
Ensure PAM modules are obtained only from trusted, verified sources and validate their integrity.

Open questions

Whether PamDOORa has been observed in any actual compromises or attack campaigns.
The specific technical indicators of compromise (IOCs) that would allow detection of PamDOORa on live systems.
Whether the price reduction from $1,600 to $900 indicates failed sales or a strategic effort to accelerate market penetration.
The distribution mechanisms and initial access vectors adversaries would use to deploy PamDOORa (root access is a prerequisite, but the attack chain leading to root is not documented).
Whether hardened PAM configurations or existing endpoint detection tools can reliably surface PamDOORa activity.