A new Linux malware that went undetected for over a year is now making waves in the cybersecurity community. Named "Plague," this malware allows attackers to maintain persistent SSH access by completely bypassing authentication mechanisms on affected systems.
The discovery was made by the security team at Nextron Systems, who explained that Plague operates as a malicious PAM (Pluggable Authentication Module) authentication module. What’s truly concerning is that it uses advanced multi-layer obfuscation techniques and environment manipulation, enabling it to easily evade most traditional security tools.
The most alarming aspect of this malware is undoubtedly how well it hides. Over the past year, several versions of Plague were uploaded to platforms like VirusTotal, and the results were both surprising and troubling: not a single antivirus engine flagged it as malicious. Literally, a detection rate of 0 out of 66. That means Plague managed to slip completely under the radar of all conventional security solutions.
Undetected Malware
How Does Plague Work? Evasion, Persistence, and Stealth Techniques in Linux Systems
This malware is not only stealthy but also specifically designed to make life difficult for security analysts. Plague features several advanced capabilities that complicate its analysis and detection: it includes anti-debugging techniques, string obfuscation, hardcoded passwords for unobtrusive access, and the ability to erase any trace of activity that would normally expose the attacker on the compromised system.
Once the malware is loaded onto a device, it thoroughly cleans the environment: it removes SSH-related variables, redirects command history to /dev/null to leave no trace, deletes audit logs, session metadata, and virtually erases all evidence of the attack. It’s as if it was never there.
One of Plague’s most effective tricks is its ability to “sanitize” the execution environment: it deletes variables like SSH_CONNECTION and SSH_CLIENT using unsetenv, while redirecting HISTFILE to /dev/null, preventing any commands executed during the session from being recorded.
During their analysis, researchers also found evidence that Plague has been in development for some time. They identified build artifacts indicating multiple versions of the malware, compiled using different versions of GCC and across various Linux distributions. In other words, this is not a one-off experiment—it’s a mature and active project.
And most concerning: none of the detected variants were flagged as malicious by antivirus engines on VirusTotal, suggesting that its creators have been operating under the radar, refining the malware undetected for at least a year.
Anti-Debugging
One of the key elements of Plague’s stealth lies in how it hides information through string encryption. Early versions of the malware used a fairly simple method: a basic XOR operation, where each byte is combined bit by bit with a fixed key. It was rudimentary but effective enough to evade superficial scans.
Over time, its creators have ramped up the sophistication. More recent variants implement a scheme similar to RC4, a stream cipher algorithm, with custom versions of the KSA (Key Scheduling Algorithm) and PRGA (Pseudo-Random Generation Algorithm) routines. Essentially, the malware generates a pseudo-random key stream to dynamically decrypt hidden strings during execution, making static analysis significantly harder.
In terms of persistence, Plague disguises itself as a legitimate PAM module, targeting the critical function pam_sm_authenticate(), which is responsible for validating user credentials during login.
This approach is particularly effective because it leverages the modular architecture of PAM (Pluggable Authentication Modules). In Linux, authentication processes dynamically load shared libraries based on the configuration defined in /etc/pam.d/. By embedding itself within this trusted path, Plague not only goes unnoticed but also gains direct access to plaintext credentials and to the system’s internal decisions about whether or not to permit a login.
Read more: New Koske Malware on Linux Hides in Panda Images
Conclusion: A Real Threat You Don’t See Coming
Plague is not just any malware. It is a highly sophisticated backdoor, designed with intelligence and patience to infiltrate Linux systems and remain undetected. What’s most concerning is how it exploits the system’s own authentication mechanisms—something so basic and essential—to disguise itself and maintain persistent access.
Thanks to its combination of advanced obfuscation, hardcoded credentials, and direct manipulation of the environment, Plague manages to completely evade traditional security tools. That makes it a real and evolving threat, especially in environments where system visibility and control are critical.
The key is to be prepared: detecting the invisible requires new ways of thinking about Linux security.