Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
Summary
Hide ▲
Show ▼
darkworm lowered the price of PamDOORa on the Rehub Russian cybercrime forum, signaling a push to monetize an operator-grade Linux backdoor and widen its underground appeal. The drop from $1,600 to $900 suggests either weak buyer interest or pressure to complete the sale. That matters because the listing turns a PAM-based credential-stealing implant into a commercial malware offering with clearer market intent.
Related Happenings
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
How related:
The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.
About this happening:
The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware ActivityHow related: The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.
About this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
About this happening:
**Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor MetaAbout this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Timeline
-
08.05.2026 11:41 1 articles · 19d ago
darkworm advertises PamDOORa for $1,600
Initial Disclosuredarkworm advertises PamDOORa on the Rehub Russian cybercrime forum at an initial asking price of $1,600, putting the Linux PAM-based backdoor up for underground sale.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 2 articles · 19d ago
darkworm cuts PamDOORa to $900
Campaign Scope UpdateBy April 9, 2026, darkworm has reduced the PamDOORa asking price on the Rehub Russian cybercrime forum to $900, nearly half the original price and a clear commercialization update.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 1 articles · 19d ago
Flare.io details PamDOORa's credential theft and log tampering
Technical Analysis UpdateFlare.io researcher Assaf Morag describes PamDOORa as a new PAM-based backdoor for OpenSSH on Linux x86_64 that enables persistent SSH access with a magic password and specific TCP port combination, harvests credentials from legitimate users, and tampers with authentication logs to hide activity.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41