New Linux Backdoor "PamDOORa" Exploits PAM to Steal SSH Credentials
Security researchers from Group-IB’s DFIR team have identified a novel Linux backdoor technique, dubbed PamDOORa, that abuses Pluggable Authentication Modules (PAM) to harvest SSH credentials and maintain stealthy persistence on compromised systems.
PAM, a modular authentication framework introduced in Linux in 1991, allows administrators to customize authentication workflows for applications like sshd, login, and su. While its flexibility enhances security, it also creates attack surfaces when misconfigured. The pam_exec module, designed to execute external commands during authentication, is being weaponized in this campaign.
In the PamDOORa attack, threat actors modify PAM configuration files (e.g., /etc/pam.d/sshd) to inject a malicious script that triggers during SSH login attempts. The script captures usernames, timestamps, and environment variables (e.g., PAM_USER, PAM_RHOST) and exfiltrates them to a remote command-and-control (C2) server via tools like netcat (nc). The attack leverages the optional control flag in PAM, ensuring the malicious execution does not disrupt authentication or raise alarms even if login attempts fail.
A key concern is its stealth: PAM’s internal handling of authentication means the credential theft leaves minimal traces in system logs, complicating detection. Traditional monitoring may only flag failed logins, masking the underlying data exfiltration.
The technique underscores how legitimate Linux features can be repurposed for covert attacks. Organizations running Linux servers particularly those exposed to external networks are advised to audit PAM configurations, monitor unauthorized changes, and enforce stricter logging and execution controls. The discovery highlights the risks of trusted frameworks when misconfigured, as Linux’s dominance in enterprise and cloud environments makes it an attractive target.
Source: https://gbhackers.com/pam-backdoor-targets-linux-systems/
Group-IB TPRM report: https://www.rankiteo.com/company/group-ib
"id": "gro1778250579",
"linkid": "group-ib",
"type": "Vulnerability",
"date": "5/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'type': 'Organization'}],
'attack_vector': 'Abuse of Pluggable Authentication Modules (PAM)',
'data_breach': {'data_exfiltration': 'Yes (to remote C2 server via netcat)',
'sensitivity_of_data': 'High (could enable further system '
'compromise)',
'type_of_data_compromised': 'SSH credentials (usernames, '
'timestamps, environment '
'variables)'},
'description': 'Security researchers from Group-IB’s DFIR team have '
'identified a novel Linux backdoor technique, dubbed PamDOORa, '
'that abuses Pluggable Authentication Modules (PAM) to harvest '
'SSH credentials and maintain stealthy persistence on '
'compromised systems. The attack leverages the pam_exec module '
'to execute a malicious script during SSH login attempts, '
'capturing usernames, timestamps, and environment variables, '
'and exfiltrating them to a remote C2 server via tools like '
'netcat (nc). The technique is stealthy, leaving minimal '
'traces in system logs.',
'impact': {'data_compromised': 'SSH credentials (usernames, timestamps, '
'environment variables)',
'identity_theft_risk': 'High (stolen SSH credentials could lead to '
'further compromise)',
'operational_impact': 'Potential unauthorized access to systems '
'via stolen SSH credentials',
'systems_affected': 'Linux servers with PAM configurations (e.g., '
'/etc/pam.d/sshd)'},
'initial_access_broker': {'backdoors_established': 'Malicious script injected '
'into PAM configuration',
'entry_point': 'PAM misconfiguration (pam_exec '
'module)',
'high_value_targets': 'Linux servers with external '
'SSH access'},
'lessons_learned': 'Legitimate Linux features like PAM can be repurposed for '
'covert attacks. Misconfigurations in trusted frameworks '
'pose significant risks, especially in enterprise and '
'cloud environments.',
'post_incident_analysis': {'corrective_actions': 'Audit PAM configurations, '
'enforce stricter logging, '
'and monitor for '
'unauthorized changes',
'root_causes': 'Abuse of PAM’s pam_exec module for '
'credential theft due to '
'misconfiguration'},
'recommendations': 'Audit PAM configurations, monitor unauthorized changes, '
'enforce stricter logging and execution controls, and '
'enhance monitoring for Linux servers exposed to external '
'networks.',
'references': [{'source': 'Group-IB’s DFIR team'}],
'response': {'enhanced_monitoring': 'Recommended',
'remediation_measures': 'Audit PAM configurations, monitor '
'unauthorized changes, enforce stricter '
'logging and execution controls',
'third_party_assistance': 'Group-IB’s DFIR team'},
'title': "New Linux Backdoor 'PamDOORa' Exploits PAM to Steal SSH Credentials",
'type': 'Backdoor',
'vulnerability_exploited': 'Misconfigured PAM (pam_exec module)'}