China-nexus Velvet Ant spent years hidden where many defenders least want to find an attacker: inside the Linux authentication stack. Sygnia’s Operation Highland report says the group replaced PAM and OpenSSH components in a segregated environment, giving it credential capture, login bypass, and command visibility dating back to forensic traces from 2016.[1]
This is not a normal one-CVE patch story. The risk is that trusted login paths can become the persistence layer. If pam_unix.so, sshd, ssh, or related binaries are modified, password resets and killed sessions may simply feed fresh credentials back to the attacker.
What Velvet Ant Changed in Linux Login Paths
Sygnia says the targeted network had no direct internet connectivity, so the actor first established access through internet-facing systems, pivoted through the IT network, and then embedded itself inside the critical infrastructure segment.[1] The key defensive lesson is practical: isolation helps, but it does not eliminate risk when a compromised bridge host can proxy the attacker inward.
The most important artifacts were backdoored PAM and OpenSSH files. Sygnia found nine distinct modified pam_unix.so variants, compiled in separate environments, with logic for authentication bypass, credential capture, or both.[1] The report also describes modified OpenSSH suites affecting ssh, sshd, and in some cases scp, with encrypted credential dumps and session logging.[1]
The Hacker News independently summarized the case on June 12, noting that the attacker changed the trusted login programs themselves rather than relying only on obvious new malware.[2] That matters because many incident-response playbooks assume that rotating passwords, terminating sessions, and removing scheduled persistence are enough. In Operation Highland, those steps would be incomplete until the login components were verified and replaced from trusted packages.
For Linux administrators, the first triage question is not “which password was stolen?” but “can we still trust the code that checks passwords?” Compare PAM modules, OpenSSH binaries, package checksums, file timestamps, and unexpected libraries against a clean baseline. Review /etc/pam.d/, authorized keys, unusual reverse-shell utilities, and hidden credential-log paths. Do this from known-good rescue media or a trusted management channel where possible, because a live compromised SSH path may lie to you.
HowToFix readers who followed the Arch Linux AUR infostealer and rootkit incident will recognize the same uncomfortable pattern: Linux trust boundaries are increasingly attractive to attackers. The Velvet Ant case is also adjacent to the Miasma credential-stealing worm, where developer secrets became the prize, and to the Copy Fail Linux local-root flaw, where local access conditions still mattered because they could turn into full control.
There is no universal IOC-only fix for this kind of intrusion. Treat it as an integrity problem. Rebuild or reinstall affected hosts where feasible, restore authentication packages from trusted repositories, rotate credentials only after persistence is removed, and then monitor PAM/OpenSSH files as high-value security controls. If your environment relies on jump hosts into isolated networks, they deserve the same scrutiny as edge appliances.
References
- Sygnia. “Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected.” Published June 11, 2026. https://www.sygnia.co/blog/operation-highland-velvet-ant/
- The Hacker News. “China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade.” Published June 12, 2026. https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
- BleepingComputer. “Chinese hackers hijack auth flow, spy on isolated network for a decade.” Published June 13, 2026. https://www.bleepingcomputer.com/news/security/chinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade/
Leave a Comment