PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
The PamDOORa backdoor has been disclosed as a PAM-based Linux implant that can create persistent SSH access and steal credentials, raising post-compromise risk on Linux x86_64 hosts. It uses a magic password and a specific TCP port trigger to authenticate, then captures logins from legitimate users. The malware also adds anti-forensic log tampering to hide activity. It is being marketed on a Russian cybercrime forum, but there is no evidence of real-world attacks yet.
Related Happenings
Velvet Ant Linux login-layer persistence campaign
Campaign
H score41
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux login-layer persistence campaign
CampaignAbout this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical Analysis
H score32
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical AnalysisAbout this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
H score24
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
SilabRAT session-hijacking crypto-draining malware activity
Malware ActivityAbout this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
H score31
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
How related:
After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaHow related: After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.
About this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Kalambur (aka SUMBUR) trojanized ESET installer backdoor deployment
Malware Activity
H score22
First: 06.11.2025 17:31
Last: 06.11.2025 17:31
Sources 1
About this happening:
**Kalambur (aka SUMBUR)** was delivered through a **trojanized ESET installer**, creating a **backdoor deployment** that can open remote access on victim systems. The malware used...
Kalambur (aka SUMBUR) trojanized ESET installer backdoor deployment
Malware ActivityAbout this happening: **Kalambur (aka SUMBUR)** was delivered through a **trojanized ESET installer**, creating a **backdoor deployment** that can open remote access on victim systems. The malware used...
Timeline
-
08.05.2026 11:41 1 articles · 2mo ago
darkworm lists PamDOORa for sale
Campaign Scope Updatedarkworm advertises PamDOORa on the Rehub Russian cybercrime forum for $1,600, presenting the Linux PAM-based backdoor as a post-exploitation tool for persistent SSH access and credential harvesting.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 1 articles · 2mo ago
darkworm cuts the PamDOORa price
Campaign Scope Updatedarkworm reduces the PamDOORa asking price to $900 on the Rehub Russian cybercrime forum, indicating a lower sale price for the Linux backdoor tied to persistent SSH access and credential theft.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
-
08.05.2026 11:41 2 articles · 2mo ago
Researchers disclose PamDOORa
Initial DisclosureFlare.io researcher Assaf Morag discloses PamDOORa as a new Linux PAM-based backdoor that enables authentication to servers via OpenSSH, uses a magic password and specific TCP port combination for persistent access, harvests credentials from legitimate users, and tampers with authentication logs; the researchers say there is no evidence of real-world attacks yet.
Show sources
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials — thehackernews.com — 08.05.2026 11:41