Linux PAM Backdoor "Pandora" Sold on Dark Web for Credential Theft and Persistent Access

🎬 A Linux backdoor named Pandora (or Pam-Dora) is being sold on the dark web forum Rehub for $1,600 (later reduced to $900) by an actor using the alias DarkWorm. Written in C, the malware targets Linux’s Pluggable Authentication Module (PAM) stack, enabling credential theft and persistent access by modifying or replacing critical shared object files like pam_unix.so or injecting a malicious pam_linux.so module. It employs anti-debugging techniques, anti-forensic measures to scrub logs (lastlog, btmp, utmp, wtmp), and uses a "magic password" paired with a specific TCP port for controlled access. The backdoor blends into PAM configuration files (e.g., /etc/pam.d/sshd or /etc/pam.d/login) to intercept authentication flows, making it stealthier than traditional cron or systemd-based persistence methods. Similar open-source PAM backdoor tools exist on GitHub, some dating back nearly eight years, with variations including skeleton keys, rolling passwords, or tampered pam_unix.so files. DarkWorm’s activity appears limited to Rehub, though identical usernames exist on other forums like Spy Hackers and NulledBB, suggesting potential aliases. The threat highlights Linux’s enterprise and cloud dominance, emphasizing PAM’s vulnerability as a trusted authentication layer.