New Linux backdoor 'PamDOORa' silently steals SSH credentials from every user logging into a compromised server - and erases its tracks from the logs

Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.

Check

Audit /etc/pam.d/ for unfamiliar pam_*.so modules, particularly pam_linux.so. Compare loaded PAM modules against your distribution's default set. Hunt /tmp for files with random names containing XOR-encrypted credential captures.

Affected

All x86_64 Linux servers running OpenSSH for remote access. PamDOORa is post-exploitation, so attackers must already have root - but once installed it captures every SSH credential and persists invisibly. Acute risk: any Linux server compromised at any point in the past, regardless of remediation - PamDOORa survives standard cleanup unless PAM-specific auditing was performed.

Fix

Enable SELinux or AppArmor in enforcing mode to constrain PAM module loading. Install Auditd with DISA-STIG rules to alert on /etc/pam.d/ changes. Deploy rkhunter or chkrootkit for routine PAM rootkit detection. Treat any compromised Linux server as having fully exposed credentials - rotate every SSH key, password, and token.