Antivirus Vendors Fail to Spot Persistent, Nasty, Stealthy Linux Backdoor: A Deep Dive into the “Plague” Malware

In a recent revelation that has sent shockwaves through the cybersecurity community, researchers at German infosec services company Nextron Threat have uncovered a sophisticated piece of malware targeting Linux systems. Dubbed “Plague,” this backdoor has managed to evade detection by antivirus engines for months, raising serious concerns about the effectiveness of current security measures. Let’s delve into the details of this alarming discovery and explore its implications for Linux infrastructure.

The Discovery of Plague

Nextron researcher Pierre-Henri Pezier spearheaded the investigation into Plague, a malware that masquerades as a legitimate Pluggable Authentication Module (PAM) on Linux systems. The name “Plague” was inspired by a line from the 1995 film Hackers, found within the deobfuscated code: “Uh. Mr. The Plague, sir? I think we have a hacker.” This seemingly innocuous reference belies the malware’s dangerous capabilities.

How Plague Operates

• Deep Integration: Plague is built as a malicious PAM, allowing attackers to bypass system authentication and gain persistent SSH access.
• Stealth Techniques: The malware integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces.
• Environment Sanitization: Plague actively sanitizes the runtime environment to eliminate evidence of an SSH session. It unsets environment variables like SSH_CONNECTION and SSH_CLIENT and redirects HISTFILE to /dev/null to prevent shell command logging.
• Obfuscation: The malware employs custom string obfuscation and conceals itself from debuggers by using legitimate file names such as libselinux.so.8.
• Hardcoded Credentials: Plague contains hardcoded passwords, granting easy access to its operators.

The Threat to Linux Systems

The presence of Plague as a PAM is particularly concerning due to PAM’s critical role in system authentication. This backdoor could potentially be used to steal user account details and circumvent standard authentication mechanisms. Nextron’s inability to determine how Plague is initially installed adds another layer of uncertainty and risk.

Antivirus Engines’ Blind Spot

One of the most troubling aspects of this discovery is that Plague variants were uploaded to VirusTotal in 2024, yet the malware scanning service failed to flag them as malicious. This oversight highlights a significant gap in current antivirus detection capabilities, especially concerning advanced threats targeting Linux environments.

Current Status and Response

Following Nextron’s public disclosure, over 30 antivirus engines have updated their definitions to recognize the PAM vulnerability as malware. Nextron did not notify security vendors ahead of time, considering the public release of technical information as responsible disclosure.

No Known Infections—Yet

Despite the malware’s sophistication, there have been no public reports of Plague being detected in the wild. However, the fact that it has existed undetected for months is a cause for concern. Nextron recommends that administrators manually verify the legitimacy of PAM files and has updated its free THOR Lite software to detect Plague-like threats.

Conclusion

The discovery of Plague serves as a stark reminder of the evolving threat landscape facing Linux systems. Its ability to evade detection, maintain persistence, and operate stealthily underscores the need for continuous vigilance and advanced security measures. As antivirus vendors scramble to update their defenses, administrators must remain proactive in safeguarding their systems against such insidious threats.

Stay informed, stay secure, and always question the integrity of your system’s core components.

Source: Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor, https://www.theregister.com/2025/08/05/plague_linux_backdoor/