New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access

Security researchers have discovered a sophisticated Linux backdoor dubbed “Plague” that has remained undetected by all major antivirus engines despite multiple samples being uploaded to VirusTotal over the past year.

The malicious software operates as a Pluggable Authentication Module (PAM), allowing attackers to silently bypass system authentication and maintain persistent SSH access to compromised Linux systems.

Zero Detection Despite Year-Long Activity

The Plague backdoor represents a significant security concern due to its complete evasion of traditional detection methods.

Despite several variants being uploaded to VirusTotal throughout 2024 and into 2025, not a single antivirus engine among the 66 tested has flagged any sample as malicious.

Analysis of the threat landscape reveals active development and adaptation by the attackers, with samples compiled across different time periods and environments using various GCC compiler versions.

The earliest known sample dates back to July ...