For over a year, a stealthy piece of malware has been quietly worming its way into Linux systems, and hardly anyone noticed. Dubbed “Plague”, this digital parasite doesn’t crash systems or steal files in obvious ways—it’s far more subtle, and that’s what makes it so dangerous.
At the heart of its trickery is something called the Pluggable Authentication Module, or PAM for short. PAM is the bit of software that decides who gets access to your system. It’s used across countless Linux and UNIX environments, making it a prime target for anyone looking to sneak in unnoticed.
Plague masquerades as a legitimate PAM module. Once it’s in place, it gives attackers a backdoor into the system via SSH, bypassing normal login checks. It’s clever, quiet, and persistent. It even wipes away traces of its activity—like clearing shell history and hiding SSH connection details—so system admins are left none the wiser.
What’s more, it’s built to survive. It uses hardcoded credentials, resists debugging, and obfuscates its code to make analysis a nightmare. Even when samples were uploaded to VirusTotal, none of the major antivirus engines flagged it. That’s not just luck—it’s a sign of careful, ongoing development.
This isn’t your run-of-the-mill malware. It’s a reminder that even the most trusted parts of a system can be turned against you. And while traditional security tools might miss it, behavioural analysis and forensic monitoring could be the key to spotting threats like Plague before they take hold.