280/68 Monday, August 4, 2025
Researchers at Nextron Systems have discovered a new malware strain called “Plague,” which embeds itself as a PAM (Pluggable Authentication Module) on Linux systems. The malware exploits the PAM framework to bypass standard authentication processes, allowing attackers to maintain persistent SSH access without needing to provide a password. Plague also includes stealth capabilities to erase usage history and cover its tracks, making it difficult for system administrators to detect.
The malware is highly sophisticated, using multiple obfuscation techniques to conceal its operations. These include XOR encryption, the use of a Deterministic Random Bit Generator (DRBG), and anti-reverse engineering methods to evade analysis by tools like IDA Pro. Plague also hardcodes a static backdoor password for hidden access and features anti-debugging mechanisms, such as self-renaming and automatic clearing of shell history to minimize forensic evidence.
Although the threat actor behind Plague has not yet been identified, researchers found an embedded easter egg within the malware referencing the film Hackers (1995)-specifically, the quote: “Uh. Mr. The Plague, sir? I think we have a hacker”. This suggests that the malware may originate from a highly skilled group with a deep technical background. Due to its stealth and persistence, Plague represents a serious threat to Linux infrastructure, and organizations are urged to immediately audit PAM configurations and scan for suspicious modules to prevent backdoor infiltration.
