A persistence technique used by Linux malware is to replace the system’s pam_unix.so with one that provides a hard-coded passwords for attackers to use at their convenience and credential harvesting.
This was done by Skidmap malware https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html