THE Hacker News reports a new Linux backdoor named PamDOORa, advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor calling themselves “darkworm.” The backdoor is PAM-based and designed as a post-exploitation toolkit that enables persistent SSH access and credential harvesting from all legitimate users who authenticate through the compromised system, with the OpenSSH authentication route highlighted.
According to Flare[.]io researcher Assaf Morag, PamDOORa is described as a post-exploitation backdoor that would remain persistent on Linux systems (x86_64). The tool is noted as the second Linux backdoor targeting the PAM stack, following Plague, and it also includes anti-forensic capabilities to tamper with authentication logs to erase traces of activity.
After an initial asking price of $1,600 on 17 March 2026, the price was reduced to $900 as of 9 April, suggesting market dynamics around the sale of the backdoor.