Linux Backdoor "Plague" Evaded Detection for Over a Year

Researchers at Nextron Systems have uncovered a sophisticated Linux backdoor, dubbed Plague, that managed to stay hidden for more than a year. The malware provides attackers with persistent SSH access and enables authentication bypass on compromised systems—without triggering alerts from traditional security tools.

Plague masquerades as a malicious PAM (Pluggable Authentication Module), embedding itself within the system’s core authentication stack. Through multiple layers of obfuscation and runtime environment manipulation, it evades forensic analysis and endpoint detection.

Key Capabilities of Plague

The malware is designed for stealth, with features including:

• Anti-debugging and anti-analysis techniques to resist reverse engineering.
• String and command obfuscation to hide malicious operations.
• Hardcoded credentials for covert backdoor access.
• Session concealment to erase signs of attacker presence.

Once deployed, Plague aggressively sanitizes its environment to avoid detection:

• Resets SSH-related environment variables like SSH_CONNECTION and SSH_CLIENT.
• Redirects command history by pointing HISTFILE to /dev/null.
• Deletes log metadata and erases traces from system logging mechanisms.

“Plague deeply embeds itself into the authentication stack, can survive system updates, and leaves almost no traces,” said Pierre-Henri Pezier, researcher at Nextron Systems. “It actively scrubs the execution environment to hide SSH sessions—unset variables, redirected history files—it’s all designed to stay under the radar.”

Evidence of Ongoing Development

Analysis of multiple Plague samples reveals indications of long-term, active development. Researchers observed compilation artifacts pointing to the use of different GCC versions and targeting across various Linux distributions, suggesting a broad and evolving deployment strategy.

Notably, several variants of Plague had been uploaded to VirusTotal over the past year—yet none were flagged as malicious by any antivirus engines. That speaks volumes about its evasiveness.

“Plague is a stealthy, evolving threat to Linux systems,” Pezier emphasized. “By abusing PAM and environment variables, it ensures long-lasting access while remaining virtually undetectable.”

A Persistent and Invisible Threat

The discovery of Plague highlights the growing sophistication of Linux malware—particularly those tailored for stealth and persistence. While Windows threats often make headlines, Linux remains an increasingly attractive target, especially for APT groups and financially motivated attackers seeking long-term access to enterprise environments.

With Plague’s capability to survive system upgrades, eliminate evidence of intrusion, and slip past antivirus engines entirely, its discovery raises urgent questions about how many other stealthy backdoors remain undetected in production systems today.