CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Linux PAM-based backdoor PamDOORa advertised on cybercrime forum with credential harvesting and anti-forensic features

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Linux backdoor named PamDOORa has been advertised on the Rehub Russian cybercrime forum by the threat actor "darkworm" for $900–$1,600, enabling persistent SSH access via a magic password and TCP port combination and credential harvesting from users authenticating on compromised systems. The malware operates as a Pluggable Authentication Module (PAM) post-exploitation toolkit that manipulates PAM to grant unauthorized access and stealthily persist on x86_64 Linux systems. It includes anti-forensic capabilities to tamper with authentication logs and erase traces of activity.

Timeline

  1. 08.05.2026 11:41 1 articles · 17h ago

    PamDOORa PAM module Linux backdoor advertised with credential theft and anti-forensic features

    A PAM-based Linux backdoor named PamDOORa was advertised on a Russian cybercrime forum by the actor "darkworm" for $900–$1,600. The malware enables persistent SSH access via a magic password and specific TCP port, captures user credentials, and includes anti-forensic capabilities to tamper with authentication logs. It is marketed as a post-exploitation toolkit for x86_64 Linux systems and is described as more advanced than prior open-source PAM backdoors.

    Show sources
    Open in new tab

Information Snippets

  • PamDOORa is a PAM-based Linux backdoor sold on the Rehub cybercrime forum by the actor "darkworm" at an initial price of $1,600 on March 17, 2026, later reduced to $900 by April 9, 2026.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • The backdoor enables persistent SSH access via a hardcoded "magic password" and specific TCP port combination, allowing threat actors to bypass standard authentication mechanisms and maintain access.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • PamDOORa captures credentials from all legitimate users authenticating via OpenSSH on compromised systems and stores them for future use.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • The malware incorporates anti-forensic capabilities to tamper with authentication logs, removing traces of malicious PAM module usage and SSH access events.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • Infection likely requires initial root compromise to deploy the PAM module, which then hooks into the authentication stack to capture credentials and enable persistence.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • PamDOORa is described as an evolution over prior open-source PAM backdoors, integrating anti-debugging, network-aware triggers, and a builder pipeline reminiscent of operator-grade tooling.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources

  • PAM modules run with root privileges, enabling compromised modules to introduce significant security risks including credential theft and unauthorized access if misconfigured or malicious.

    First reported: 08.05.2026 11:41
    1 source, 1 article
    Show sources