MalwareUsed by 1 actor

AuthDoor

AuthDoor is a PAM backdoor for Linux systems that was observed in 2024 intrusions targeting telecommunications providers in Southeast/Southwest Asia. It was deployed by overwriting the legitimate pam_unix.so or pam_unix2.so module on certain hosts and hooking PAM authentication functionality, including pam_sm_authenticate, to capture user credentials. Captured credentials were stored in a hidden log file, specifically /usr/bin/.dbus.log, with credentials encoded in ASCII hex. AuthDoor also supports persistent access through a hard-coded magic password, allowing access even if legitimate user passwords are changed, and it can execute files from a specific directory for persistence. The malware was associated with the nation-state-linked cluster CL-STA-0969, which Unit 42 assessed as heavily overlapping with the China-linked Liminal Panda activity set. The broader campaign targeted critical telecommunications infrastructure and used SSH brute-force for likely initial access, followed by Linux privilege-escalation exploits and multiple custom implants for covert persistence and access.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Liminal Panda

AuthDoor: A PAM backdoor that captures user credentials by hooking into authentication functions. It supports hardcoded password access, updates stolen credentials in a hidden log, and can execute files from a specific directory for persistent access.

via securityaffairssecurityaffairs.com

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app10 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securityaffairsNews

Aug 4, 2025

Nation-state group CL-STA-0969 targeted Southeast Asian telecoms in 2024

A PAM backdoor that captures credentials, supports hardcoded password access, logs stolen credentials, and enables persistent access by executing files from a specific directory.

palo alto networks unit 42 blogNews

Jul 29, 2025

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Linux PAM backdoor that replaces pam_unix* to capture credentials (stored as ASCII hex in /usr/bin/.dbus.log), provides access via a hard-coded “magic password” for persistence even after password changes, and can enumerate/execute files in /var/spool/.network/.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.