thehackernews.com 5/8/2026, 10:59:41 AM · via preferred

New Linux PAM backdoor PamDOORa sold on Russian forum for $1,600

Developing story malware 2 articles tracked
PamDOORa Linux PAM backdoor advertised for sale on underground forum
CyberSIXT Evidence Panel
Primary Source flare.io
Threat Actor
darkworm

THE Hacker News reports a new Linux backdoor named PamDOORa, advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor calling themselves “darkworm.” The backdoor is PAM-based and designed as a post-exploitation toolkit that enables persistent SSH access and credential harvesting from all legitimate users who authenticate through the compromised system, with the OpenSSH authentication route highlighted.

According to Flare[.]io researcher Assaf Morag, PamDOORa is described as a post-exploitation backdoor that would remain persistent on Linux systems (x86_64). The tool is noted as the second Linux backdoor targeting the PAM stack, following Plague, and it also includes anti-forensic capabilities to tamper with authentication logs to erase traces of activity.

After an initial asking price of $1,600 on 17 March 2026, the price was reduced to $900 as of 9 April, suggesting market dynamics around the sale of the backdoor.

View Primary Source Via thehackernews.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline