Overview

• Researchers traced Plague variants to 2024 through VirusTotal submissions, revealing an evolving threat that slipped past all antivirus engines and has no confirmed in-the-wild detections.
• The backdoor installs as a PAM module that patches core authentication functions and uses hardcoded passwords to grant attackers persistent SSH access.
• Its code uses layered obfuscation, anti-debugging measures and mimics libselinux.so.8 to avoid analysis and detection.
• Plague sanitizes the environment by unsetting SSH-related variables and redirecting shell history to /dev/null, erasing forensic traces.
• Compilation artifacts indicate active development across multiple distributions and GCC versions, underscoring its evolving sophistication.