Researchers from Nextron Systems discovered new malware for Linux that remained undetected for over a year. It allows attackers to maintain persistent access via SSH and bypass authentication on compromised systems.
The malware has been named Plague and is a malicious PAM (Pluggable Authentication Module). It employs multi-layered obfuscation and disguises itself to evade detection by security solutions.
Plague can counteract debugging and analysis, hides its strings and commands, uses hard-coded passwords for covert access, and can also conceal traces of sessions that could reveal the attackers’ activity.
Upon loading, the malware cleans the environment of traces of its activity: it resets environment variables related to SSH and redirects the command history to /dev/null to conceal the action logs, metadata, and erase digital traces from system logs.
“Plague integrates deeply into the authentication stack, can ‘survive’ system updates, and leaves virtually no traces. Combined with obfuscation and environmental modification, this makes Plague almost undetectable by traditional security tools,” says Nextron Systems specialist Pierre-Henri Pezier. “The malware actively cleans the runtime environment to hide SSH sessions. Variables such as SSH_CONNECTION and SSH_CLIENT are removed using unsetenv, and HISTFILE is redirected to /dev/null to avoid logging.”
Upon analyzing the samples, researchers discovered compilation artifacts indicating extensive and active development of the malware using different versions of GCC and for different Linux distributions.
Moreover, although various versions of this malware have been uploaded to VirusTotal over the past year, not a single antivirus engine has detected them as malicious.
“Plague is an advanced and constantly evolving threat for Linux. It uses basic authentication mechanisms to maintain a stealthy and persistent presence in the system,” adds Pezier. “Sophisticated obfuscation, static credentials, and runtime environment manipulation make it virtually invisible to standard security tools.”
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →