New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
08 May 2026
Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm."
The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination.