Threat Actor Offers Linux PAM Backdoor ‘PamDOORa’ for Sale on Cybercrime Forum

TechGeer Desk
By TechGeer Desk - Senior Editorial Team
6 Min Read
We conduct in-depth independent evaluations before making a recommendation. If you buy through links on our site, we may earn a fee that supports our mission.
  • A dark web seller wants $1,600 for a Linux backdoor called PamDOORa.
  • The tool hides inside the operating system’s authentication layer to steal passwords.
  • The backdoor grants persistent SSH access using a magic password and can capture every legitimate user’s credentials during login attempts.
Threat Actor Offers Linux PAM Backdoor ‘PamDOORa’ for Sale on Cybercrime Forum

A threat actor on a Russian cybercrime forum called Rehub is selling complete source code for a backdoor that hides inside one of your system’s most trusted layers. The backdoor, named PamDOORa, targets x86_64 Linux systems.

It slips into your system quietly and once inside, they silently copy every key that passes through the door. They also leave a secret entrance for themselves that no one else can see.

In This Article

What Makes PamDOORa Different

Pluggable Authentication Modules (PAM for short) is what takes care of login authentication on Linux. There’s a file tagged /etc/pam.d/sshd, which controls how SSH verified users before they login.

Any changes made to these files will mess up how the system decides who is permitted to log in.  Attackers normally tweak a line or two here. But PamDOORa takes a smarter approach.

The backdoor injects a malicious module called pam_linux.so into the authentication stack. It does not replace the standard pam_unix.so file. Instead, it loads as an additional module through configuration changes. This makes detection much harder.

The backdoor only activates for specific network traffic. A routine called procFindConnectionSocket scans file descriptors under /proc/[pid]/fd. It checks socket metadata like type, family, and protocol. Then it matches the connection to a particular TCP port and magic password combination. This network-aware trigger is stricter than most typical backdoors.

Credential Theft and Anti-Forensics

PamDOORa does more than grant secret access. It also captures every password from legitimate users. The tool collects credentials right inside the PAM stack. That means it intercepts passwords before any application-layer logging happens.

Then they’ll encrypt the stolen data with XOR using a key generated at runtime. Then the backdoor writes it to /tmp with filenames + timestamps made up on the fly. XOR’s not strong encryption, sure, but it’s decent enough for bypassing basic content scanners.

Now here’s where it gets troubling for incident response teams. PamDOORa messes with auth logs. Also is tamers with lastlog, utmp, btmp, and wtmp, all of them, wiping every trace that shows the attacker even got in. So when security teams SSHs in to find out what went wrong, two bad things happen. Either the tool captures their credentials too or it silently erases their access from logs.

The implant also uses these selective execution hooks. They tag it PAM_IGNORE, and it’s mostly dormant during normal ops. This blend of stealth tactics mirrors what you see in advanced Linux persistence tooling.

Assessing the Seller and Market

The threat actor offering this tool uses the alias “darkworm.” Analysts found five distinct personas using that same name across forums. But the PamDOORa seller? Notably more credible technically than the others. Code snippets look realistic. And aligns with known PAM abuse methods as well.

Initially, one copy of the source code sold for 1,600 USD. Then it later dropped to 900 USD. That’s like almost 50% off. This suggests either: not many buyers,  or the seller just wants a quicker sale. 

Rehub itself? It became popular after lots of top underground platforms were shut down last year. Its entry barrier’s low compared to other forums, making it more accessible. But that also means more scams and exaggerated claims. Trust plus technical consistency? Weaker than invite-only forums.

Criminal markets are also flooded with stolen credentials. AI-enhanced phishing campaigns are contributing to the supply of logins available for sale, highlighting the demand for tools like PamDOORa.

How PamDOORa Compares to Open-Source Tools

GitHub searches showed 22 repositories matching the term ‘PAM backdoor.’ Mostly crude PoC scripts. A lot just replace file or patch  pam_unix.so in basic ways. Code quality? Low to medium, generally. 45% of these projects are shell scripts. Whereas 35% comprise of C.

PamDOORa is unique because it uses more than one technique. Cohesive + modular implant, has anti-debugging features and even network-aware triggers. Also, it comes with a builder pipeline. That makes it almost on par with operator-grade tooling rather than commodity scripts.

Individual techniques like PAM hooks, credential capture, and log tampering are all well documented. But pulling them together into something configurable, and maintainable? That’s real evolution.

This analysis is based mainly on a dark web advertisement and screenshots the seller shared. No review of the full source code is available yet so the actual capabilities may be different from what the threat actor claim

Share This Article
ByTechGeer Desk
Senior Editorial Team
Follow:
We're tech enthusiasts with over a decade of experience in the digital landscape. With our background in computer science and a passion for emerging technologies, our desk brings a unique blend of technical knowledge and clear communication to TechGeer. When not decoding the latest AI breakthroughs or testing cutting-edge gadgets, you'll find many of us exploring the intersections of technology and society. Our work aims to make complex tech topics accessible to all, empowering readers to navigate our increasingly digital world with confidence.
Leave a Comment