Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: velvet-ant (1 article)Clear

China-linked Velvet Ant hid in Linux login software for nearly a decade

Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.

Check
Integrity-check PAM modules (pam_unix.so) and OpenSSH binaries on Linux hosts against known-good hashes from your distribution, and watch for logins succeeding with unexpected or hardcoded credentials.
Affected
Linux environments, especially internal servers and appliances without endpoint detection, where attackers with prior access can replace authentication binaries; high-value, long-dwell espionage targets are most at risk.
Fix
Reinstall PAM and OpenSSH from trusted distribution packages, rotate all credentials that may have been harvested, deploy file-integrity monitoring on authentication binaries, and extend detection to appliances lacking EDR.