The company Nextron recently discovered a new and very stealthy Linux backdoor called “Plague” (Read the blog post). This malware is a malicious PAM (Pluggable Authentication Module) that lets attackers secretly bypass system authentication and keep SSH access for a long time. Although several samples have been uploaded to VirusTotal over the last year, no antivirus software detects them as malicious, and there are no public reports or detection rules for this threat (yet).
Plague hides deep in the system, survives updates, and barely leaves any traces, which makes it very hard to find with standard tools. This shows how dangerous backdoors targeting core Linux components like PAM can be.
To help others detect this threat, the blog post also contains a YARA rule. This case highlights why proactive detection with tools like YARA is important for catching hidden threats in Linux systems.
