There’s a sneaky new threat targeting Linux systems and it’s called Plague. It’s not just another piece of malware. This thing is designed to live inside your authentication system and give hackers the keys to your server, all while staying hidden from antivirus tools.
Plague operates as a malicious PAM module. If you don’t already know, PAM is what Linux uses to handle authentication. By tapping directly into that layer, Plague can let attackers log in via SSH without ever entering a valid password. It’s silent. It’s persistent. And it’s extremely hard to detect.
The scariest part? Security researchers say not a single antivirus flagged it. Dozens of samples have been uploaded to VirusTotal over the past year, and none of them triggered a warning. That’s not just rare. That’s almost unheard of.
To stay under the radar, Plague wipes environment variables like SSH_CONNECTION and disables shell history logging. It literally scrubs any evidence of the attacker’s activity. Your logs will look clean even when your system is compromised.
It doesn’t stop there. The malware hides behind string obfuscation, antidebug tactics, and multiple encryption layers. The latest samples use a triple-decker encryption approach that includes XOR, a stream cipher, and a DRBG layer. Static analysis won’t help much. This thing is built to mess with analysts.
Researchers even had to write a custom decryption tool using Unicorn and IDA Pro just to peek inside. It emulates execution safely to pull out hidden strings and figure out what the malware is doing. That’s a lot of work for a few strings, but it shows how far the attackers went to cover their tracks.
And yes, there are hardcoded passwords. One variant uses the laughably bad “changeme” while others use stronger strings like “IpV57KNK32Ih.” Either way, these passwords let attackers log in quietly whenever they want.
One sample even references the movie Hackers with the line, “Uh. Mr. The Plague, sir? I think we have a hacker.” It’s buried deep in the code and only shows up after you decrypt it. It’s either a joke or a signature. Either way, it’s creepy.
Attribution is still up in the air. Most samples were submitted from the US, but one came from China. The malware is clearly under active development, with compiler traces pointing to Debian, Ubuntu, and Red Hat toolchains. This isn’t some one-off script kiddie project. It’s well maintained and growing.
If you’re a sysadmin, this is your reminder that AV alone won’t save you. You’ll need behavioral analysis, YARA rules, and maybe even a little paranoia. Linux is not immune, and Plague proves that.
I love Linux. But when malware digs into authentication and hides this well, it makes me nervous. This kind of threat deserves serious attention.
