Security researchers have discovered an unusually evasive Linux backdoor, undetected even by VirusTotal, compromising systems as a malicious pluggable authentication module (PAM). Dubbed “Plague” by Nextron researchers, the stealthy backdoor lets attackers slip past authentication unnoticed and establish persistent secure shell (SSH) access.
“Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces,” the researchers said in a blog post. “Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.”
Disguising itself as PAM, Linux’s trusted authentication framework, the implant allows attackers covert access. Active since July 29, 2024, it has evolved with new variants appearing as recently as March 2025, researchers added.
The payloads observed by Nextron bore compilation traces for Debian, Ubuntu, and other distributors, suggesting broader targeting across Linux environments.
Integrating into the authentication stack
Plague’s architecture allows it to deeply integrate into the system’s authentication stack, operating through a benign-looking shared library file (libselinus.so.8) while hijacking PAM functions like “pam_sm_authenticate(),” the very mechanism that verifies user credentials on login.
The injection makes Plague part of the login process, granting attackers a hidden backdoor via a hardcoded password without user authentication, researchers added. Because it’s operating at the authentication level, no separate malware loader or persistence mechanism is needed. Backdoor is triggered any time the PAM stack is invoked, such as through SSH or sudo.
The design of hijacking legitimate system behavior also makes Plague resistant to upgrades and difficult to detect with traditional security tools, including antivirus engines on VirusTotal.
“Although several variants of this backdoor have been updated to VirusTotal over the past year, not a single antivirus engine flags them as malicious,” the researchers said. “ To our knowledge, there are no public reports or detection rules available for this threat, suggesting that it has quietly evaded detection across multiple environments.”
According to screenshots shared in the blog, dozens of variants uploaded to VirusTotal over the past year registered 0/66 detections.
From obfuscation to audit evasion
Plague’s stealth begins at compile time. Early versions used simple XOR-based string encoding, but later variants deployed multi-layer encryption, including custom KSA/PRGA routines and DRBG-based stages, to obfuscate decrypted payloads and strings.
The use of advanced cryptographic routines, including algorithms like the Key Scheduling algorithm (KSA), the Pseudo-Random Generation algorithm (PRGA), and Deterministic Random Bit Generation (DRBG), guarantees a layered protection for evading both static signature scanning and sandbox-based analysis tools.
Despite its long runtime, the attribution of Plague remains unknown. Authors of the malware, however, did drop some clues after the de-obfuscation routines. A sample named “hijack” made a reference to the movie “Hackers” in a message printed after “pam-authenticate.” “Uh. Mr. The Plague, sir? I think we have a hacker,” the message said.
Nextron recommends adopting behavioral, memory-based, and PAM-focused forensic strategies. Additionally, security teams are advised to actively audit PAM configurations, monitor newly dropped .so files in /lib/security/, and track environment-level tampering or suspicious cleanup behaviors.