A 23‑year‑old student was detained in Taiwan after investigators said he broke into the island’s high‑speed rail network and sent fabricated General Alarm signals to disrupt service according to SecurityWeek. The arrest coincided with the appearance of a new Linux backdoor called PamDOORa on a Russian cybercrime forum, where it is being offered for around nine hundred US dollars by a threat actor known as darkworm as reported by Flare.io. Researchers note that the tool is marketed as a post‑exploitation kit that gives attackers persistent SSH access while harvesting plaintext credentials from anyone who authenticates through the compromised system.
PamDOORa works by installing a malicious Pluggable Authentication Module that intercepts the Linux PAM stack during SSH login per The Hacker News. When a user supplies a password the backdoor checks for a hard‑coded magic string and a specific TCP port; if both match it grants the attacker a reverse shell and logs the clear‑text credentials to a hidden file. The module also tampers with authentication logs to erase traces of its activity, a technique seen in the earlier Plague backdoor. PamDOORa targets x86_64 Linux distributions and does not rely on any known vulnerability, so no CVE identifier has been assigned yet.
The backdoor is advertised on the Rehub forum, a Russian‑language marketplace for cybercrime tools, with listings showing a price that fluctuates between nine hundred and one thousand six hundred US dollars per Flare.io analysis. The seller uses the handle darkworm and provides a short demo video that demonstrates SSH login with the secret trigger. According to research from Flare.io, PamDOORa is the second PAM‑based backdoor to appear in the wild after Plague and includes anti‑forensic capabilities that modify PAM log files to avoid detection by standard audit tools.
Authorities in Taiwan have not publicly linked the student’s rail intrusion to PamDOORa, but the timing raises questions about whether the same toolkit was used to maintain foothold inside the signalling servers per SecurityWeek. Darkworm has been observed in underground chats advertising the backdoor to actors interested in transportation and energy sectors, suggesting a broader interest in critical infrastructure. The ability to harvest SSH credentials silently could allow an attacker to move laterally across rail operations systems, manipulate schedules or safety alerts, and remain undetected for extended periods.
Defenders should start by reviewing the PAM configuration on all Linux servers for any unfamiliar .so files in /lib/security or /usr/lib/security and comparing them against a known good baseline per CISA guidance. Monitoring SSH logs for successful authentications that occur outside normal working hours or from unusual source IPs can reveal credential harvesting attempts. Enforcing multi‑factor authentication for privileged accounts and restricting SSH access to jump hosts reduces the value of stolen passwords. Deploying file integrity monitoring on PAM directories and enabling real‑time alerts for new module installations will help catch PamDOORa before it becomes persistent.
Organisations should also consider disabling password‑based SSH in favour of key‑only authentication, which nullifies the credential‑stealing function of PamDOORa as noted by BackBox.org. Sharing indicators of compromise with trusted peers and participating in sector‑specific information sharing groups can improve early warning. Regular red team exercises that simulate the installation of a malicious PAM module will test detection and response capabilities, ensuring that any similar threat is identified and removed before it can affect critical services.