A new undetectable malware strain is targeting Linux servers to establish lasting SSH access.

A sophisticated Linux backdoor known as Plague has emerged as a significant threat to enterprise security, successfully evading detection by all major antivirus engines while establishing persistent SSH access through the manipulation of core authentication mechanisms. Discovered by cybersecurity researchers at Nextron Systems, this malware signifies a paradigm shift in Linux-targeted attacks, exploiting Pluggable Authentication Modules (PAM) to achieve near-perfect stealth and system-level persistence. The most alarming characteristic of Plague is its complete invisibility to traditional security measures. Despite numerous variants being uploaded to VirusTotal over the past year, none of the antivirus engines flagged any samples as malicious, resulting in a perfect 0/66 detection rate. This unprecedented evasion capability arises from its integration into Linux’s fundamental authentication infrastructure, where it operates as a legitimate PAM module while subverting security controls.

Plague employs a multi-layered approach that combines advanced obfuscation with system-level manipulation. The malware utilises evolving string obfuscation techniques that have advanced from simple XOR-based encryption to sophisticated multi-stage algorithms, incorporating Key Scheduling Algorithm (KSA), Pseudo-Random Generation Algorithm (PRGA), and Deterministic Random Bit Generator (DRBG) layers. This evolution reflects the continuous development by threat actors to stay ahead of analysis tools. The malware’s antidebug mechanisms verify that the binary maintains its expected filename, libselinux.so.8, and checks for the absence of ld.so.preload in environment variables. These checks enable Plague to detect sandbox environments and debuggers that commonly rename binaries or utilise preloading mechanisms for analysis. By masquerading as a legitimate PAM module and specifically targeting the pam_sm_authenticate() function responsible for user credential verification, Plague exploits PAM’s modular architecture, allowing it to load shared libraries dynamically based on configuration files in /etc/pam.d/.