28
A new Linux malware has recently caught the attention of security researchers. Identified as “Plague,” this malware is more specifically a Linux backdoor that remained undetected for almost a year.
Plague Linux Malware Establishes Persistent Access
Researchers from Nextron have shared details about the Plague malware – a stealthy Linux backdoor – in their recent post.
According to the researchers, this malware was first uploaded to VirusTotal almost a year ago. However, it remained unflagged by any of the anti-malware programs throughout the time, highlighting its sneaky nature, which makes it a potent backdoor. Throughout the time, several iterations of the malware appeared; however, all of them remained under the radar.
The researchers attribute this covertness to the use of PAM (Pluggable Authentication Module) that allows bypassing system authentication and establishing persistent SSH access. It integrates deeply within the target system to escape system updates. It also implements heavy obfuscation and environment tampering to escape security checks. The researchers observed that the initial malware samples employed XOR-based encryption. However, the future iterations adopted KSA and PRGA, with the recent version adding a DRBG layer as well.
Regarding its potent features, the researchers found the malware to exhibit anti-debug capabilities that let it escape debuggers and sandbox environments. It also eliminates runtime environments to delete any SSH session traces, avoiding history logs to evade forensic detection, and implements hardcoded static passwords to let the attackers maintain persistent access.
PAM-Based Malware Pose A Serious Threat To Linux Security
Plague isn’t the first malware to exploit PAM to target Linux systems. In May 2025, Nextron researchers found another backdoor, comprising less than 100 lines of code, exploiting PAM to escape detection. In their analysis, the researchers explained how these backdoors risk systems with persistent malicious access leading to password theft and data exfiltration. Now, the discovery of Plague malware simply adds to the growing list of malware employing advanced strategies to escape detection on Linux systems.
Yet, these aren’t the only malware types to evade detection. While Linux systems are known to have stronger security with sandbox environments, threat actors have constantly adapted their strategies to escape security checks. For example, the sedexp malware executed with a system reboot, thus escaping detection. Likewise, the CronRAT malware hid in the calendar subsystem (the Linux Cron system) on a non-existent day to escape detection.
To ensure adequate security against stealthy malware like Plague, the researchers advise using YARA-based hunting and behavioral analysis to scan the core Linux systems.
Let us know your thoughts in the comments.
