Ethical Hacking News
Recently, researchers at Nextron Threat discovered a highly-persistent Linux backdoor known as "Plague" that has been evading detection using traditional tools. This malware exploits core authentication mechanisms to maintain stealth and persistence, making it exceptionally difficult to detect. With its advanced obfuscation techniques and hardcoded passwords, Plague poses a significant threat to Linux users. Stay informed about the latest security developments and take necessary precautions to protect your systems.
Researchers at Nextron Threat have identified a highly-persistent Linux backdoor known as "Plague" that exploits core authentication mechanisms. The Plague malware is difficult to detect using conventional methods due to its advanced obfuscation techniques and static credentials. The malware integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. The Plague backdoor allows attackers to silently bypass system authentication and gain persistent SSH access. The malware sanitizes the runtime environment to eliminate evidence of an SSH session and conceals itself from debuggers. The discovery highlights a critical vulnerability in Linux systems, and new variants have been uploaded to VirusTotal without being flagged as malware.
Linux users are facing a new and ominous threat, as researchers at German infosec services company Nextron Threat have identified a highly-persistent Linux backdoor known as "Plague." This malware creates a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence. The Plague malware is particularly difficult to detect using conventional methods due to its advanced obfuscation techniques, static credentials, and environment tampering.
According to Nextron researcher Pierre-Henri Pezier, the malware "integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces." This makes it exceptionally hard to detect using traditional tools. The Plague backdoor is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.
The malware actively sanitizes the runtime environment to eliminate evidence of an SSH session, including hiding session logs to evade scanning, implementing a custom string obfuscation system, and concealing itself from debuggers by using the legitimate libselinux.so.8 shared library file name. It also contains hardcoded passwords to allow the operator easy access.
The fact that Nextron isn't sure how miscreants would install Plague makes it even more concerning, as it highlights a critical vulnerability in Linux systems. Moreover, Pezier noted that parties unknown uploaded Plague variants to VirusTotal in 2024, but the malware scanning service never flagged the code as malware. This suggests that the malware has been present on Linux systems for months without tripping any alarms.
The discovery of the Plague malware is a stark reminder of the importance of staying vigilant and proactive when it comes to security. As Linux users continue to face new threats, it's essential to remain informed about the latest developments and take necessary precautions to protect our systems.
In conclusion, the rise of the "Plague" malware on Linux systems is a concerning development that highlights the ongoing cat-and-mouse game between attackers and defenders. It's crucial for Linux users to stay alert and implement robust security measures to prevent such threats from taking hold.
Related Information:
https://www.ethicalhackingnews.com/articles/Nearly-Undetectable-The-Rise-of-the-Plague-Malware-on-Linux-Systems-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/05/plague_linux_backdoor/
Published: Mon Aug 4 19:39:42 2025 by llama3.2 3B Q4_K_M
