Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Red Hot Cyber Academy

A Year of Silence! Plague Discovered, the Linux Malware No One Had Seen

Redazione RHC : 6 August 2025 15:46

Researchers at Nextron Systems have discovered a new Linux malware that went undetected for over a year. It allows attackers to gain persistent SSH access and bypass authentication on compromised systems. The malware is called Plague and is a malicious PAM (Pluggable Authentication Module). It uses multi-layered obfuscation and masking techniques to evade detection by security solutions.

Plague is able to resist debugging and analysis, hides its strings and commands, uses hardcoded passwords for stealth access, and can even hide session traces that could reveal attacker activity. Once loaded, the malware cleans the environment of its activity: it resets SSH-related environmental variables and redirects command history to /dev/null to hide the action log, metadata, and erase digital traces from system logs.

“Plague is deeply embedded in the authentication stack, can survive system updates, and leaves virtually no trace. Combined with obfuscation and environmental modification, this makes Plague nearly imperceptible to traditional security tools,” says Pierre-Henri Pezier, researcher at Nextron Systems. “The malware actively cleans its execution environment to hide SSH sessions. Variables such as SSH_CONNECTION and SSH_CLIENT are removed via unsetenv, and HISTFILE is redirected to /dev/null to avoid logging.”

By analyzing the samples, researchers found compilation artifacts that indicate active, long-term development of the malware using different versions of GCC and for different Linux distributions. Furthermore, despite several versions of this malware being uploaded to VirusTotal multiple times over the past year, no antivirus engine has detected them as malicious.

“Plague is an advanced and constantly evolving threat to Linux. It uses basic authentication mechanisms to maintain a stealthy and persistent presence on the system,” adds Pezier. “Sophisticated obfuscations, static credentials, and manipulation of the execution environment make it virtually invisible to standard defenses.”

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli