New ‘Plague’ Malware Evades Detection for a Year, Hijacks Linux SSH Authentication
A newly uncovered Linux backdoor named Plague has been operating stealthily for over a year, providing attackers with persistent SSH access and the ability to bypass authentication mechanisms on infected systems.
PAM-Based Malware With Deep Integration
Discovered by researchers at Nextron Systems, Plague is a malicious Pluggable Authentication Module (PAM) that integrates directly into the system’s authentication stack. This deep integration allows it to survive updates and evade traditional detection techniques.
Once deployed, the malware enables attackers to authenticate using hardcoded credentials and gain root-level access through SSH without triggering standard access controls.
Stealth Through Environment Tampering
One of Plague’s most effective features is its ability to erase all signs of an attacker’s presence:
- It unsets environment variables such as
SSH_CONNECTIONandSSH_CLIENT - Redirects
HISTFILEto/dev/null, preventing shell command logging - Cleans up session metadata and runtime artifacts, leaving no digital trace
This makes incident response and forensic investigation extremely difficult, even on closely monitored systems.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Anti-Analysis and Obfuscation Techniques
Plague uses several techniques to block analysis and reverse engineering:
- String obfuscation to evade detection by signature-based tools
- Anti-debugging mechanisms to crash or evade dynamic analysis
- Layered code obfuscation and indirect execution paths
These features allow the malware to operate in stealth, even under scrutiny.
Multiple Variants, Zero Detection
According to Nextron, multiple Plague samples have been uploaded to VirusTotal over the past year—none of which have been flagged as malicious by antivirus engines.
Artifacts left behind during compilation reveal use of different GCC versions across multiple Linux distributions, suggesting active development and wide deployment across environments.
A Threat to Core Linux Infrastructure
“Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces,” said Nextron researcher Pierre-Henri Pezier.
Its exploitation of core authentication infrastructure, combined with advanced evasion techniques, positions Plague as a serious threat to Linux environments, especially in enterprise or cloud infrastructure where PAM modules are standard.
Trending: Offensive Security Tool: RingReaper
Not the First PAM-Based Threat
In May, Nextron also discovered another malware strain that exploited the flexibility of Linux’s PAM system. That earlier variant similarly allowed credential theft, authentication bypass, and stealthy persistence.
Plague builds on those capabilities and introduces greater obfuscation, automation, and environmental sanitization, marking an evolution in Linux backdoor tactics.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Nearly 76,000 WatchGuard Firebox Appliances Exposed — Critical IKEv2 RCE (CVE-2025-9242)
LinkPro Rootkit: New eBPF-Backed GNU/Linux Backdoor Found in Compromised AWS Environments
Pixnapping: New Android Side-Channel Steals 2FA Codes Pixel-by-Pixel
ChaosBot: Rust Backdoor Uses Discord C2 — Chaos Ransomware Adds Destructive & Clipboard-Hijack Features
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
