China-Linked Velvet Ant Group Backdoored Linux Login Software to Evade Detection for Nearly a Decade
A China-linked hacking group known as Velvet Ant compromised Linux PAM and OpenSSH components to maintain undetected access to a target network for nearly a decade.
A China-linked hacking group tracked as Velvet Ant has been found to have backdoored Linux PAM and OpenSSH components, allowing them to maintain undetected access to a target network for nearly a decade. According to researchers at Sygnia, the group compromised the authentication layer itself, planting backdoors that evaded standard cleanup and forensic tools. The campaign, dubbed Operation Highland, targeted an unnamed network with no direct internet access, forcing the attackers to first stage through internet-facing systems.
The earliest traces of the operation date back to 2016. Instead of deploying new malware that could be detected by scanners, the attackers modified the trusted login programs themselves. On many machines, they replaced the main PAM login module with backdoored copies that either allowed access with a secret password or quietly recorded legitimate usernames and passwords. Researchers identified nine separate versions of the backdoored modules. Similarly, OpenSSH programs were altered to log credentials and every command typed, with a hidden switch to disable logging when needed.
Reaching the isolated network required additional effort. The attackers used disguised tools and an internet-facing web server as a bridge, passing commands through it to open remote sessions deep inside the segment that had no direct internet access. Because the login system itself was compromised, normal containment measures like password resets and session kills were ineffective. The backdoor persisted even after such actions, as the credential-checking mechanism was working for the attacker.
This is not the first time Velvet Ant has employed such tactics. In a 2024 case, Sygnia found the same actor turning internet-exposed F5 BIG-IP appliances into internal command servers. Later that year, the group exploited a Cisco NX-OS flaw, CVE-2024-20399, to plant a backdoor on switches. That bug required admin access first, making it a persistence tool rather than a remote break-in. Cisco patched it in July 2024, and CISA flagged it as exploited the next day.
Operation Highland represents a deeper level of persistence by targeting the login software itself. Load balancers, switches, and the login layer are trusted by default and rarely checked, making them ideal hiding spots for patient attackers. The fix for this type of compromise is not patching but verification: administrators must monitor PAM and OpenSSH programs for any changes and compare them against known-good copies. Removing the backdoor before resetting passwords is critical, as new credentials would otherwise be stolen the same way.
The wider lesson is clear: infrastructure that sits outside normal monitoring still needs integrity checks, and that now includes the login layer. Organizations should watch login files, hunt for changes rather than waiting for alerts, and test any replacements in a lab first. The earlier F5 and Cisco cases have their own checks: patch CVE-2024-20399 on Cisco Nexus gear and watch F5 boxes for unexpected outbound connections.