Researchers at Flare.io have disclosed details of a new Linux backdoor called PamDOORa, which is reportedly being sold on the Russian-language cybercrime forum Rehub by an actor using the alias darkworm. The tool is a post-exploitation toolkit based on Pluggable Authentication Modules (PAM), providing stealthy persistent access to compromised servers via OpenSSH. The backdoor targets x86_64 Linux systems and is said to be capable of intercepting the credentials of all legitimate users who authenticate on an infected machine. At the time of writing, there is no evidence of PamDOORa being used in real-world attacks, but its functionality merits the attention of Linux system administrators.

Operating mechanism and technical characteristics

PAM is a security framework in Unix/Linux that allows administrators to plug in various authentication mechanisms (passwords, biometrics, tokens) through a modular architecture without having to rewrite existing applications. A key characteristic is that PAM modules are typically executed with root privileges, which makes any compromised or malicious module critically dangerous.

According to Flare.io researcher Assaf Morag, PamDOORa implements several interrelated mechanisms:

• Access via a “magic password” — the backdoor enables a hidden login when a specific combination of password and TCP port is used, bypassing standard authentication;
• Credential interception — via PAM hooks, the tool collects passwords of all users who successfully authenticate legitimately on the server;
• Anti-forensics — PamDOORa deliberately modifies authentication logs, removing traces of malicious activity;
• Anti-debugging — built-in mechanisms to hinder analysis;
• Network triggers — activation based on specific network conditions;
• Build pipeline — the presence of a builder for generating modules tailored to specific targets.

It is important to consider the context highlighted earlier by Group-IB in September 2024: PAM does not store passwords but passes values in cleartext between modules. The pam_exec module, intended for executing external commands, can be abused by an attacker to inject malicious scripts into PAM configuration files, enabling them to obtain a privileged shell and establish stealthy persistence in the system.

Market context

Reportedly, the initial price of PamDOORa was $1,600 (listing dated 17 March 2026). By 9 April, the actor darkworm had reduced the price by almost 50% — down to $900. Such a reduction may indicate a lack of buyer interest or an attempt to speed up the sale.

In Morag’s assessment, PamDOORa represents an evolution compared to existing open-source PAM backdoors. Although each of the techniques it uses is well documented on its own, their integration into a single modular implant with anti-debugging, network triggers and a build pipeline brings the tool closer to the level of operator-grade malware — in contrast to the crude proof-of-concept scripts found in public repositories.

The intended use case assumes that an attacker first obtains root access to a host by some other means and then deploys PamDOORa to intercept credentials and establish persistent access via SSH.

Impact assessment

The highest risk is to organizations running Linux servers with OpenSSH authentication via PAM — that is, the vast majority of server-side Linux infrastructures. PamDOORa is particularly dangerous for:

• Servers with direct SSH access from the internet;
• Infrastructures where integrity monitoring for PAM modules is not configured;
• Environments where compromise of a single server can lead to lateral movement thanks to stolen credentials.

The tool’s anti-forensic capabilities exacerbate the situation: modifying authentication logs makes it harder to detect compromise using standard log analysis methods.

Protection recommendations

Since PamDOORa requires prior acquisition of root access, defense should be implemented on multiple layers:

• PAM module integrity monitoring: configure file change monitoring for the directories /lib/security/, /lib64/security/ and for configuration files in /etc/pam.d/ using tools such as AIDE, OSSEC or Tripwire;
• pam_exec audit: review PAM configurations for pam_exec invocations that run non-standard scripts — the command grep -r "pam_exec" /etc/pam.d/ will help identify suspicious entries;
• Privileged access control: minimize the number of accounts with root privileges and use multi-factor authentication for SSH;
• Centralized log collection: send authentication logs to a separate secured server to neutralize local log tampering;
• Network segmentation: restrict SSH access by IP addresses and use jump hosts to reduce the attack surface;
• Hash verification: periodically compare checksums of PAM libraries with reference values from distribution packages — using rpm -V pam (for RPM-based systems) or debsums libpam-modules (for Debian/Ubuntu).

Despite the lack of confirmed cases of PamDOORa being used in real-world attacks, the very fact that a commercial tool of this level has appeared on the cybercrime market signals growing interest in attacks on the Linux authentication stack. The top priority for administrators is to implement PAM module integrity monitoring and centralized collection of authentication logs if this has not yet been done. These measures are effective not only against PamDOORa but against any attacks that exploit the modular architecture of PAM.