A new backdoor called ‘Plague’ has emerged that compromises critical Linux systems, allowing for covert theft of credentials.

Cybersecurity researchers have identified a previously undocumented Linux backdoor known as Plague, which has successfully evaded detection for over a year. This malicious implant functions as a Pluggable Authentication Module (PAM), allowing attackers to silently bypass system authentication and maintain persistent SSH access. Pluggable Authentication Modules are a suite of shared libraries that manage user authentication for applications and services in Linux and UNIX-based systems. Since July 29, 2024, multiple Plague artifacts have been uploaded to VirusTotal, with none flagged as malicious by antimalware engines. The presence of several samples indicates ongoing development by the unknown threat actors behind this malware.

Plague features several alarming capabilities, including static credentials for covert access, resistance to analysis and reverse engineering through anti-debugging and string obfuscation, and enhanced stealth by erasing evidence of SSH sessions. It achieves this by unsetting environment variables like SSH_CONNECTION and SSH_CLIENT, as well as redirecting HISTFILE to /dev/null to prevent shell command logging, thereby avoiding an audit trail. According to Nextron Systems researcher Pierre-Henri Pezier, Plague integrates deeply into the authentication stack, survives system updates, and leaves minimal forensic traces. The combination of layered obfuscation and environment tampering makes it exceptionally difficult to detect using traditional security tools.