PamDOORa — malicious PAM module with credential harvesting and log scrubbing, sold on Rehub

Flare researcher Assaf Morag documented PamDOORa, a Linux post-exploitation backdoor implemented as a malicious Pluggable Authentication Module targeting x86_64 systems, offered for sale on the Rehub Russian-language cybercrime forum (Flare.io, 2026-05-07 · The Hacker News, 2026-05-08). Rather than replacing pam_unix.so (which would be immediately visible in lsmod output and PAM stack configuration), PamDOORa installs a separate pam_linux.so module, gaining privileged insertion into the authentication pipeline without triggering obvious tampering indicators. Capabilities: (1) SSH access via a magic-password and specific TCP port combination, bypassing standard credential validation; (2) credential harvesting — all cleartext passwords submitted by legitimate users authenticating through the system are XOR-encrypted and written to a dynamically-named file in /tmp; (3) anti-forensic log manipulation — lastlog, btmp, utmp, and wtmp are scrubbed to remove the attacker's authentication events. The vendor ("darkworm") listed it at $1,600 USD for source code, later reduced to $900, suggesting limited uptake. A prior PAM backdoor family (Plague, 2025) is the only other public comparator. Flare rates the seller's technical credibility as medium-to-high based on cross-forum persona analysis.

Detection concepts: diff /etc/pam.d/sshd (and all files under /etc/pam.d/) against a known-good baseline; audit for unexpected .so files in /lib/security/ or /usr/lib64/security/; monitor for SSH logins that produce no corresponding pam_unix syslog entries; alert on /tmp files with high-entropy filenames created at authentication time. The Sysmon Linux equivalent (auditd rules) should cover openat syscalls on PAM configuration files and write syscalls to /lib*/security/.