Plague Backdoor: New Linux Malware Infiltrates Authentication Stack, Evading Detection for a Year

For nearly a year, a malicious module known as Plague evaded detection by Linux security solutions, despite its active proliferation and deep entrenchment within one of the system’s most critical components—the authentication stack. Its presence was only uncovered through the forensic analysis of artifacts uploaded to VirusTotal in late July 2024. To date, none of the samples have been flagged as threats by antivirus engines, underscoring the module’s exceptional stealth and the meticulous caution of its developers.

According to researchers at Nextron Systems, Plague disguises itself as a legitimate PAM component—the Pluggable Authentication Module system, which governs access to virtually all services on Linux and UNIX platforms. By embedding itself into these authentication routines, the malicious code inherits the same privileges as native modules, allowing it to subvert authentication processes almost imperceptibly. This grants attackers persistent remote access via SSH, along with the ability to intercept user credentials silently and without leaving a trace.

What sets Plague apart is its deliberate resistance to forensic scrutiny. It employs anti-debugging techniques, obfuscates strings and system calls, and manipulates environment variables associated with SSH sessions. Notably, it removes variables such as SSH_CONNECTION and SSH_CLIENT using the unsetenv function and redirects command history to /dev/null, effectively nullifying any audit trail in the shell history (HISTFILE).

A particularly dangerous feature of this module is its resilience to system updates. Owing to its deep integration into the PAM infrastructure, Plague remains embedded even after service restarts and the installation of new packages. This combination of persistence and invisibility renders it especially perilous in enterprise environments, where PAM often falls beyond the reach of routine threat scanners.

Moreover, Nextron’s researchers identified multiple variants of the module, suggesting an ongoing development phase and the possible testing of diverse configurations on live systems. This could indicate either a forthcoming large-scale campaign or an active infiltration of targeted infrastructures already underway.

Plague is not merely another piece of Linux malware—it is emblematic of an evolving class of threats in which the attack begins not with the exploitation of vulnerabilities but with the subversion of trusted system components. This paradigm is particularly alarming given PAM’s limited visibility in standard monitoring tools and the insufficient protection of its loading chains. With its ability to fully emulate legitimate behavior and leave no discernible footprint, Plague could remain hidden for years—once, it already did.