Breach Analyses

Plague PAM Backdoor

The new Plague PAM backdoor evaded AV for a year. Learn its TTPs, IOC list and a threat-detection blueprint to secure your Linux servers in 2025.
Ev
Evangeline
Aug 04, 2025
Plague PAM Backdoor
Contents
1. What Happened?2. How Plague Works — From Implant to Exfil3. Why Traditional Tools Missed It4. Incident Timeline (CEST)5. Threat Detection Best Practices for Plague-Style Attacks6. Do & Do-Not Checklist7. Compliance Angle8. ConclusionDownload: Plague IOC & Sigma Rule PackReferences

A 2025 Breach Analysis & Threat Detection Blueprint

Last updated 4 Aug 2025 Author: Trescudo Research Team Image: Willem Smith
Sources: Nextron Systems, Security Affairs, TheHackerNews, CSO Online

Key fact: VirusTotal showed 0/63 detections when Plague samples first surfaced—proving signature-based tools alone are no match for modern cyber-threat detection.

1. What Happened?

Researchers at Nextron Systems uncovered Plague, a stealth Linux backdoor that embeds itself inside PAM (Pluggable Authentication Modules) and quietly siphons SSH credentials. Telemetry now links Plague activity back to March 2024, meaning attackers enjoyed more than a year of undetected access to hosting, fintech and higher-ed servers.

2. How Plague Works — From Implant to Exfil

  1. Initial foothold via weak SSH credentials or vulnerable web admin panels.

  2. Attacker drops a rogue library (pam_plg.so, pam_unix.so.1) into /usr/lib*/security/.

  3. /etc/pam.d/sshd is silently edited to load the malicious module.

  4. Threat detection bypass: the module hooks pam_sm_authenticate(); a secret password grants entry while valid user credentials are logged and AES-128 encrypted for exfiltration.

  5. Log wiping: /var/log/secure and session histories are erased, deleting forensic clues.

3. Why Traditional Tools Missed It

  • Living-off-the-land binaries (LOLbins): Plague leverages built-in pam_unix.so workflow—nothing launches, nothing obvious for AV scan.

  • Timestamp tromping: It copies original file metadata to stay invisible to casual file-integrity checks.

  • Credential theft, not ransomware: No noisy encryption event triggers EDR alerts, so SIEM correlation rules stayed silent.

You need behavioral threat detection and continuous intrusion monitoring to catch this class of malware. Up-leveling your threat detection beyond hash-matching is now mandatory.

4. Incident Timeline (CEST)

Date

Event

03 Mar 2024

First telemetry sample (Variant A) uploaded to a private malware archive.

15 Nov 2024

Variant B adds AES encryption & reverse shell option.

01 Aug 2025

Nextron publishes advisory; threat-intelligence feeds updated.

02 Aug 2025

Security Affairs + THN publish IOCs; 5 AV engines finally detect sample.

5. Threat Detection Best Practices for Plague-Style Attacks

Layer

Action

Keyword Usage

File Integrity

Implement AIDE or osquery to baseline /etc/pam.d/ and /usr/lib*/security/. Trigger alerts on any hash change.

“File-integrity monitoring is a first line of threat detection for PAM tampering.”

Log Pipeline

Forward /var/log/auth.log and /var/log/secure off-host to an immutable SIEM.

“Centralised logs create a high-fidelity threat-detection source.”

Behavioral EDR

Alert on anomalous pam_sm_authenticate() calls spawning shell.

“Behaviour-based EDR closes the gap where signature threat detection fails”- signature agnostic.

Anomaly Rules

Flag ‘Accepted password for invalid user’ or sudden spike in new TTY sessions.

“Rule-based analytics sharpen threat detection of live credential theft.”

Purple-Team Drills

Simulate PAM backdoor insertion and measure Mean Time to Detect (MTTD).

“Hands-on purple-team labs validate real-world threat detection capability.”

6. Do & Do-Not Checklist

Before Deployment

  • ✅ Baseline and sign PAM libraries.

  • ✅ Enforce SSH key-based auth + MFA.

  • 🚫 Don’t expose SSH on default port 22 without fail2ban or similar.

During Operation

  • ✅ Alert on PAM config edits.

  • ✅ Monitor LOLBin usage like wmic, certutil, and bash -c in auth flow.

  • 🚫 Ignore low-noise anomalies (attackers rely on “alert fatigue”).

If Compromised

  • ✅ Rotate ALL captured credentials.

  • ✅ Rebuild from clean images; hidden copies may persist.

  • ✅ Publish IOC hashes & update threat detection rules for peer teams.

7. Compliance Angle

Plague underscores NIS2 Article 21 and DORA’s emphasis on continuous monitoring and “effective threat detection and response.” Organisations that cannot prove timely detection now face regulatory fines and board scrutiny.

8. Conclusion

Plague is proof that today’s defenders must pair strong Linux hygiene with behaviour-driven threat detection. A single rogue PAM module can turn your SSH gateway into an open door—silently—for months.

“Resilience isn’t an add-on—it is the plan.” — Marçal Santos

Download: Plague IOC & Sigma Rule Pack

[PDF – Free Download]

References

  1. Nextron Systems – “Plague PAM Backdoor for Linux” (Aug 2025)

  2. SecurityAffairs – “New Linux backdoor bypasses PAM auth” (Aug 2025)

  3. TheHackerNews – “Plague exposes critical Linux systems” (Aug 2025)

  4. CSO Online – “How Plague evaded AV for a year” (Aug 2025)

© 2025 Trescudo Cybersecurity – All rights reserved.

Share article

Trescudo Blog

RSS·Powered by Inblog