Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
Summary
Hide ▲
Show ▼
darkworm lowered the price of PamDOORa on the Rehub Russian cybercrime forum, signaling a push to monetize an operator-grade Linux backdoor and widen its underground appeal. The drop from $1,600 to $900 suggests either weak buyer interest or pressure to complete the sale. That matters because the listing turns a PAM-based credential-stealing implant into a commercial malware offering with clearer market intent.
Related Happenings
Organization hit by network compromise linked to Velvet Ant
Incident
H score35
First: 13.06.2026 17:06
Last: 13.06.2026 17:06
Sources 1
About this happening:
A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Organization hit by network compromise linked to Velvet Ant
IncidentAbout this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Velvet Ant Linux login-layer persistence campaign
Campaign
H score41
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux login-layer persistence campaign
CampaignAbout this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical Analysis
H score32
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical AnalysisAbout this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
H score27
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
How related:
The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.
About this happening:
The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware ActivityHow related: The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.
About this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
H score37
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
About this happening:
**Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor MetaAbout this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Timeline
-
08.05.2026 11:41 1 articles · 2mo ago
darkworm advertises PamDOORa for $1,600
Initial Disclosuredarkworm advertises PamDOORa on the Rehub Russian cybercrime forum at an initial asking price of $1,600, putting the Linux PAM-based backdoor up for underground sale.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 2 articles · 2mo ago
darkworm cuts PamDOORa to $900
Campaign Scope UpdateBy April 9, 2026, darkworm has reduced the PamDOORa asking price on the Rehub Russian cybercrime forum to $900, nearly half the original price and a clear commercialization update.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 1 articles · 2mo ago
Flare.io details PamDOORa's credential theft and log tampering
Technical Analysis UpdateFlare.io researcher Assaf Morag describes PamDOORa as a new PAM-based backdoor for OpenSSH on Linux x86_64 that enables persistent SSH access with a magic password and specific TCP port combination, harvests credentials from legitimate users, and tampers with authentication logs to hide activity.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41