PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
The PamDOORa backdoor has been disclosed as a PAM-based Linux implant that can create persistent SSH access and steal credentials, raising post-compromise risk on Linux x86_64 hosts. It uses a magic password and a specific TCP port trigger to authenticate, then captures logins from legitimate users. The malware also adds anti-forensic log tampering to hide activity. It is being marketed on a Russian cybercrime forum, but there is no evidence of real-world attacks yet.
Related Happenings
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
How related:
After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaHow related: After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.
About this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Kalambur (aka SUMBUR) trojanized ESET installer backdoor deployment
Malware Activity
First: 06.11.2025 17:31
Last: 06.11.2025 17:31
Sources 1
About this happening:
**Kalambur (aka SUMBUR)** was delivered through a **trojanized ESET installer**, creating a **backdoor deployment** that can open remote access on victim systems. The malware used...
Kalambur (aka SUMBUR) trojanized ESET installer backdoor deployment
Malware ActivityAbout this happening: **Kalambur (aka SUMBUR)** was delivered through a **trojanized ESET installer**, creating a **backdoor deployment** that can open remote access on victim systems. The malware used...
Timeline
-
08.05.2026 11:41 1 articles · 19d ago
darkworm lists PamDOORa for sale
Campaign Scope Updatedarkworm advertises PamDOORa on the Rehub Russian cybercrime forum for $1,600, presenting the Linux PAM-based backdoor as a post-exploitation tool for persistent SSH access and credential harvesting.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 1 articles · 19d ago
darkworm cuts the PamDOORa price
Campaign Scope Updatedarkworm reduces the PamDOORa asking price to $900 on the Rehub Russian cybercrime forum, indicating a lower sale price for the Linux backdoor tied to persistent SSH access and credential theft.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 2 articles · 19d ago
Researchers disclose PamDOORa
Initial DisclosureFlare.io researcher Assaf Morag discloses PamDOORa as a new Linux PAM-based backdoor that enables authentication to servers via OpenSSH, uses a magic password and specific TCP port combination for persistent access, harvests credentials from legitimate users, and tampers with authentication logs; the researchers say there is no evidence of real-world attacks yet.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41