PamDOORa Backdoor Targets Linux PAM Stack to Steal Passwords and Wipe Logs

In the enterprise world, Linux servers are the bedrock of cloud environments and critical infrastructure. To protect them, we rely on the Pluggable Authentication Module (PAM) stack—a trusted gatekeeper that validates every login attempt. But what happens when the gatekeeper is secretly working for the intruder?

According to a new technical analysis by Assaf Morag, Cybersecurity Researcher at Flare, a potent new threat named PamDOORa has surfaced on a Russian cybercrime forum. For a price tag of $1,600, threat actors can now purchase the complete source code for a backdoor that embeds itself directly into this foundational security layer.

PamDOORa is designed specifically for x86_64 Linux systems as a post-exploitation tool. Unlike malware that operates in the user space—where traditional security controls usually hunt—PamDOORa lives inside the PAM stack. This positioning gives it an advantage: it can intercept passwords before any application-layer logging or security monitoring even knows they exist.

As the Flare report explains:

“The tool… provides persistent SSH access via a magic password and specific TCP port combination, while simultaneously harvesting credentials from all legitimate users who authenticate through the compromised system. The credential capture occurs within the PAM stack itself, meaning it intercepts passwords before any application-layer logging.”

By creating this “magic” backdoor, an attacker can maintain permanent, persistent SSH access to a server. Even if an administrator changes every user’s password, the attacker’s “magic password” remains valid, providing a silent, evergreen entryway into the heart of the network.

A significant challenge for incident responders is that PamDOORa is built to leave no trace of the attacker’s presence. The tool includes advanced anti-forensic capabilities that surgically manipulate the native Linux authentication logs.

“The tool includes anti-forensic capabilities that manipulate lastlog, btmp, utmp, and wtmp authentication logs to remove traces of attacker access,” the analysis states. By wiping these records, the backdoor “directly undermines incident response” by creating a forensic trail that is either incomplete or intentionally misleading.

The emergence of PamDOORa highlights a critical blind spot in standard server security. Traditional controls that focus on application binaries are often insufficient when the compromise happens at the OS level.

To counter this, security teams must shift toward behavioral monitoring. Flare recommends deploying detection capabilities that have visibility into “sensitive junctions such as PAM stacks, SSHD authentication flows, kernel-level hooks, and unauthorized file or library injections”.

Key Recommendations for Linux Administrators:

• Runtime Visibility: Monitor for unusual authentication patterns, rare source ports, or anomalous interactions with authentication components rather than relying solely on static integrity checks.
• Assume Full Exposure: If a system is found to be compromised at this level, defenders must assume that every credential used on that system has been exposed.
• Total Remediation: “Cleanup efforts should therefore include credential rotation, key revocation, and re-establishing trust across affected systems, rather than focusing solely on removing the implant”.
• Redundant Telemetry: Because the malware can tamper with local logs, incident responders should rely on redundant, off-system telemetry sources to reconstruct the attacker’s actions.