WARNING: New Linux Backdoor ‘Plague’ Evades Detection For A Year❗️

Cybersecurity researchers have uncovered a previously unknown Linux backdoor, dubbed Plague, that has remained undetected for over a year.

This highly sophisticated Linux backdoor is a major threat to enterprise security, bypassing detection by all major antivirus engines and establishing persistent SSH access by tampering with core authentication processes.

Uncovered by cybersecurity experts at Nextron Systems, Plague marks a significant evolution in Linux-based cyberattacks. It leverages Pluggable Authentication Modules (PAM) to achieve stealth and deep system persistence.

PAMs are shared libraries used in Linux and UNIX-based systems to handle user authentication for applications and services. Because these modules are integrated into privileged authentication processes, a malicious PAM can facilitate credential theft, circumvent security checks, and operate without being noticed by standard security tools.

What makes this malware particularly alarming is its total evasion of conventional security tools. Over the past year, multiple variants have been submitted to VirusTotal—yet none were flagged as malicious, boasting a 0/66 detection score.

This stealth is enabled by its seamless integration into Linux’s native authentication framework. Disguised as a legitimate PAM module, it operates from within the system’s core, effectively neutralizing standard security defenses.

Identity Security Risk

Nextron Systems reports that multiple Plague samples have been uploaded to VirusTotal since July 29, 2024—none of which were flagged as malicious by antivirus engines. The presence of several variants indicates ongoing development by the unidentified threat actors behind the malware.

Plague includes four key capabilities:

1. Use of static credentials to enable undetected access.
2. Resistance to analysis through anti-debugging techniques and string obfuscation.
3. Stealthy operation by removing evidence of SSH sessions.
4. Persistence across system updates with minimal forensic traces.

The Plague backdoor poses a significant and evolving threat to Linux systems, leveraging fundamental authentication processes to achieve both stealth and persistence. Its employment of advanced obfuscation techniques, hardcoded credentials, and manipulation of the system environment makes it especially challenging to identify through standard detection methods.

Read the complete report by Nextron Systems HERE

About Nextron Systems

Nextron Systems, a German technology leader, specializes in advanced security solutions for Compromise Assessments. Trusted by over 500 enterprise clients and risk-aware mid-sized businesses across 30+ countries, their flagship products — THOR and ASGARD — are widely recommended by security agencies and relied upon by cybersecurity professionals and forensic analysts to protect critical systems in an ever-changing threat environment.