Find notable cyber news and cases, enriched with sources, timelines, and signals.

PamDOORa Linux backdoor with persistent SSH access and credential theft

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

The PamDOORa backdoor has been disclosed as a PAM-based Linux implant that can create persistent SSH access and steal credentials, raising post-compromise risk on Linux x86_64 hosts. It uses a magic password and a specific TCP port trigger to authenticate, then captures logins from legitimate users. The malware also adds anti-forensic log tampering to hide activity. It is being marketed on a Russian cybercrime forum, but there is no evidence of real-world attacks yet.

Related Happenings

Velvet Ant Linux login-layer persistence campaign

Campaign
H score41 First: 12.06.2026 21:17 Last: 12.06.2026 21:17 Sources 1

About this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...

Velvet Ant Linux PAM and OpenSSH backdoor analysis

Technical Analysis
H score32 First: 12.06.2026 21:17 Last: 12.06.2026 21:17 Sources 1

About this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...

SilabRAT session-hijacking crypto-draining malware activity

Malware Activity
H score24 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...

Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling

Threat Actor Meta
H score31 First: 08.05.2026 11:41 Last: 08.05.2026 11:41 Sources 1

How related: After an initial asking price of $1,600 on March 17, 2026, the "darkworm" persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale.

About this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...

Kalambur (aka SUMBUR) trojanized ESET installer backdoor deployment

Malware Activity
H score22 First: 06.11.2025 17:31 Last: 06.11.2025 17:31 Sources 1

About this happening: **Kalambur (aka SUMBUR)** was delivered through a **trojanized ESET installer**, creating a **backdoor deployment** that can open remote access on victim systems. The malware used...

Timeline

  1. 08.05.2026 11:41 1 articles · 2mo ago

    darkworm lists PamDOORa for sale

    Campaign Scope Update

    darkworm advertises PamDOORa on the Rehub Russian cybercrime forum for $1,600, presenting the Linux PAM-based backdoor as a post-exploitation tool for persistent SSH access and credential harvesting.

    Show sources
  2. 08.05.2026 11:41 1 articles · 2mo ago

    darkworm cuts the PamDOORa price

    Campaign Scope Update

    darkworm reduces the PamDOORa asking price to $900 on the Rehub Russian cybercrime forum, indicating a lower sale price for the Linux backdoor tied to persistent SSH access and credential theft.

    Show sources
  3. 08.05.2026 11:41 2 articles · 2mo ago

    Researchers disclose PamDOORa

    Initial Disclosure

    Flare.io researcher Assaf Morag discloses PamDOORa as a new Linux PAM-based backdoor that enables authentication to servers via OpenSSH, uses a magic password and specific TCP port combination for persistent access, harvests credentials from legitimate users, and tampers with authentication logs; the researchers say there is no evidence of real-world attacks yet.

    Show sources