Find notable cyber news and cases, enriched with sources, timelines, and signals.

Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling

Threat Actor Meta
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

darkworm lowered the price of PamDOORa on the Rehub Russian cybercrime forum, signaling a push to monetize an operator-grade Linux backdoor and widen its underground appeal. The drop from $1,600 to $900 suggests either weak buyer interest or pressure to complete the sale. That matters because the listing turns a PAM-based credential-stealing implant into a commercial malware offering with clearer market intent.

Related Happenings

Organization hit by network compromise linked to Velvet Ant

Incident
H score35 First: 13.06.2026 17:06 Last: 13.06.2026 17:06 Sources 1

About this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...

Velvet Ant Linux login-layer persistence campaign

Campaign
H score41 First: 12.06.2026 21:17 Last: 12.06.2026 21:17 Sources 1

About this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...

Velvet Ant Linux PAM and OpenSSH backdoor analysis

Technical Analysis
H score32 First: 12.06.2026 21:17 Last: 12.06.2026 21:17 Sources 1

About this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...

PamDOORa Linux backdoor with persistent SSH access and credential theft

Malware Activity
H score27 First: 08.05.2026 11:41 Last: 08.05.2026 11:41 Sources 1

How related: The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.

About this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...

Phantom Project's subscription-based cybercrime toolkit model

Threat Actor Meta
H score37 First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...

Timeline

  1. 08.05.2026 11:41 2 articles · 2mo ago

    darkworm cuts PamDOORa to $900

    Campaign Scope Update

    By April 9, 2026, darkworm has reduced the PamDOORa asking price on the Rehub Russian cybercrime forum to $900, nearly half the original price and a clear commercialization update.

    Show sources
  2. 08.05.2026 11:41 1 articles · 2mo ago

    Flare.io details PamDOORa's credential theft and log tampering

    Technical Analysis Update

    Flare.io researcher Assaf Morag describes PamDOORa as a new PAM-based backdoor for OpenSSH on Linux x86_64 that enables persistent SSH access with a magic password and specific TCP port combination, harvests credentials from legitimate users, and tampers with authentication logs to hide activity.

    Show sources