PamDOORa: PAM-Based Linux Backdoor Enables Persistent SSH
🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.
