News

Linux Backdoor ‘Plague’ Evaded Detection for Over a Year

HackMag240

Researchers from Nextron Systems discovered new malware for Linux that remained undetected for over a year. It allows attackers to maintain persistent access via SSH and bypass authentication on compromised systems.

The malware has been named Plague and is a malicious PAM (Pluggable Authentication Module). It employs multi-layered obfuscation and disguises itself to evade detection by security solutions.

Plague can counteract debugging and analysis, hides its strings and commands, uses hard-coded passwords for covert access, and can also conceal traces of sessions that could reveal the attackers’ activity.

Upon loading, the malware cleans the environment of traces of its activity: it resets environment variables related to SSH and redirects the command history to /dev/null to conceal the action logs, metadata, and erase digital traces from system logs.

“Plague integrates deeply into the authentication stack, can ‘survive’ system updates, and leaves virtually no traces. Combined with obfuscation and environmental modification, this makes Plague almost undetectable by traditional security tools,” says Nextron Systems specialist Pierre-Henri Pezier. “The malware actively cleans the runtime environment to hide SSH sessions. Variables such as SSH_CONNECTION and SSH_CLIENT are removed using unsetenv, and HISTFILE is redirected to /dev/null to avoid logging.”

Upon analyzing the samples, researchers discovered compilation artifacts indicating extensive and active development of the malware using different versions of GCC and for different Linux distributions.

Moreover, although various versions of this malware have been uploaded to VirusTotal over the past year, not a single antivirus engine has detected them as malicious.

“Plague is an advanced and constantly evolving threat for Linux. It uses basic authentication mechanisms to maintain a stealthy and persistent presence in the system,” adds Pezier. “Sophisticated obfuscation, static credentials, and runtime environment manipulation make it virtually invisible to standard security tools.”

it? Share:
09.02.2025 —
Abandoned AWS S3 buckets could be used in attacks targeting supply chains
28.02.2025 —
Qualcomm extends support for Android devices to 8 years
07.03.2025 —
YouTube warns of scam video featuring its CEO
01.04.2025 —
Hackers abuse MU plugins to inject malicious payloads to WordPress
03.02.2025 —
PyPI introduces a project archival system to combat malicious updates
04.04.2025 —
Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
14.02.2025 —
12,000 Kerio Control firewalls remain vulnerable to RCE
30.01.2025 —
Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
10.03.2025 —
Nearly a million Windows computers impacted by a malvertising campaign
23.02.2025 —
New JavaScript obfuscation technique uses invisible Unicode characters
01.06.2022 —
First contact. Attacks on chip-based cards
20.07.2023 —
Evil modem. Establishing a foothold in the attacked system with a USB modem
12.02.2023 —
Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic
03.06.2022 —
Playful Xamarin. Researching and hacking a C# mobile app
15.02.2022 —
EVE-NG: Building a cyberpolygon for hacking experiments
22.01.2023 —
Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security
15.02.2022 —
First contact: How hackers steal money from bank cards
01.06.2022 —
Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols
03.03.2023 —
Nightmare Spoofing. Evil Twin attack over dynamic routing
26.03.2023 —
Attacks on the DHCP protocol: DHCP starvation, DHCP spoofing, and protection against these techniques