China-Linked Velvet Ant Hackers Backdoored Linux PAM Modules to Steal Credentials

China-linked hackers tracked as Velvet Ant compromised Linux authentication components to steal credentials and bypass logins inside a major organization’s internal network. The campaign, called Operation Highland, lasted for nearly a decade and reached a segregated critical infrastructure environment with no direct internet access, according to Sygnia.

The attackers did not rely only on traditional malware. They modified trusted Linux login components, including PAM modules and OpenSSH binaries, so normal authentication paths became part of the backdoor.

The earliest forensic artifacts dated back to 2016. That means the intrusion was not a short-term breach, but a long-running espionage operation built around persistence, credential theft, and stealthy administrative access.

Velvet Ant Hid Inside the Linux Login Stack

Velvet Ant targeted Pluggable Authentication Modules, better known as PAM. PAM is a core Linux authentication framework used by services such as SSH, login prompts, and other applications that need to verify users.

The attackers replaced legitimate pam_unix.so files with backdoored versions. The pam_sm_authenticate manual explains that this function performs the task of authenticating a user, which made it a valuable target for credential capture and authentication bypass.

Sygnia found nine distinct backdoored pam_unix.so variants across compromised hosts. Some accepted a hardcoded backdoor password, some harvested credentials from legitimate login attempts, and some did both.

Component	How Velvet Ant abused it
PAM	Backdoored pam_unix.so modules allowed authentication bypass and credential theft
OpenSSH	Modified ssh, sshd, and related binaries logged credentials and commands
Authorized keys	Attacker-controlled public keys enabled passwordless persistence
GS-Netcat	A modified reverse shell helped establish covert command execution
SOCKS5 proxy	A Perl-based proxy supported tunneling and lateral movement

Why the PAM Backdoor Was So Dangerous

The backdoored PAM modules gave Velvet Ant control over the same layer administrators rely on to access Linux systems. When an attacker compromises the authentication layer, password resets and session kills may not solve the problem because new credentials can be stolen again during login.

The malicious module could accept the attacker’s secret password and skip normal verification. Sygnia also found that the backdoor overwrote the hardcoded password string in memory with null values after use, making forensic recovery harder.

The Linux PAM documentation shows why this technique carries high impact. If the authentication function itself gets modified, the system may still appear to behave normally for legitimate users while silently giving attackers access.

Modified OpenSSH Added Credential Theft and Keylogging

Velvet Ant also modified OpenSSH components. The attackers changed ssh, sshd, and in some cases scp and ssh-keygen, depending on the variant and target system.

The OpenSSH manual pages describe SSH as a system that supports several authentication mechanisms, including password, public-key, and host-based authentication. By modifying OpenSSH binaries, the attackers placed themselves inside a trusted remote access path.

Newer variants logged credentials and shell commands in encrypted form. They also included a custom flag that let the attackers disable their own credential logging and keylogging, reducing the chance that their own activity would appear in the captured logs.

• Modified sshd binaries captured incoming credentials.
• Modified ssh binaries captured outgoing connection details.
• Keylogging recorded commands typed during shell sessions.
• Encrypted dumps were stored under paths designed to look ordinary.
• Some files were timestomped to blend into the filesystem timeline.

How Velvet Ant Reached an Isolated Network

The targeted internal network had no direct internet connectivity. Velvet Ant reached it by first staging through internet-facing systems, then moving through the IT network toward the critical infrastructure segment.

BleepingComputer reported that the attackers took control of the organization’s authentication stack and kept visibility into administrative activity for about 10 years. The report also noted that the campaign targeted vulnerable internet-facing systems before pivoting deeper.

Sygnia said Velvet Ant deployed a modified version of GS-Netcat as a reverse shell on internet-facing servers. The binary was named auditdb and placed in /usr/sbin/ to blend in with legitimate system utilities.

Persistence method	Observed behavior
Systemd service	A malicious unit file was placed under /lib/systemd/system/ and disguised as a Chrome service
SysVinit startup	Older systems received malicious execution lines in scripts under /etc/init.d/
Process disguise	Some tooling changed process names to look like legitimate system processes
SSH keys	Attacker public keys were added to authorized_keys files
Credential dumps	Captured credentials were stored in encrypted files under deceptive paths

Operation Highland Shows Why Segmentation Is Not Enough

Network isolation made the attack harder, but it did not stop it. Velvet Ant built a multi-stage path through trusted systems and then anchored persistence inside authentication components that defenders rarely inspect in depth.

The Operation Highland report says Velvet Ant has shown a pattern of moving to less-monitored infrastructure when detected. Previous Sygnia investigations linked the group to long-term persistence on F5 BIG-IP appliances and Cisco Nexus switches.

The Hacker News summarized the case as an attack on the login system itself, where no obvious malware drop or single novel exploit needed to appear in normal security alerts.

Defenders Need Integrity Checks on Authentication Files

Sygnia recommends treating PAM, OpenSSH, LSASS, and privileged access paths as critical security controls. That means teams should not monitor only user endpoints and internet-facing services, but also the binaries and libraries that decide who can log in.

File integrity monitoring should cover Linux PAM modules, PAM configuration under /etc/pam.d/, OpenSSH binaries, SSH configuration files, privileged authorized_keys files, systemd unit files, SysVinit scripts, and sudo-related paths.

The OpenSSH documentation is also useful for defenders validating what normal SSH components and authentication behavior should look like before comparing systems against known-good builds.

• Compare PAM and OpenSSH files against trusted package sources.
• Alert on changes to authentication modules and SSH binaries.
• Deploy EDR where supported, including isolated environments where telemetry can be collected safely.
• Use application allowlisting and enhanced audit logging where EDR is not possible.
• Disable direct root SSH login and require named accounts with scoped sudo access.
• Route administration through hardened jump servers or privileged access systems.

Cleanup Must Happen Before Password Rotation

Response teams should remove persistence before rotating credentials. If the login layer remains backdoored, newly issued passwords may be captured as soon as administrators use them.

Remediation can be risky because replacing PAM or OpenSSH incorrectly can lock administrators out of production systems. Sygnia said each host must be matched to the correct replacement components, validated immediately after cleanup, and protected with rollback and emergency access plans.

BleepingComputer also highlighted that this was not a normal cleanup case because the authentication stack itself was compromised. Recovery requires restoring trust in the login path, not just deleting suspicious files.

Indicator type	Indicator	Description
File name	pam_unix.so	Backdoored PAM module used for credential theft and authentication bypass
File name	auditdb	Modified GS-Netcat binary placed in /usr/sbin/
File path	/usr/sbin/auditdb	Deployment path for the disguised reverse shell binary
File path	/lib/systemd/system/	Location used for malicious systemd persistence
File path	/etc/init.d/	Startup script path used on SysVinit systems
File path	/usr/share/man9/ph/.ph.man	Credential dump path described in the investigation
Process name	[kauditd]	Process disguise used to mimic legitimate kernel-style activity

A Broader Warning for Critical Infrastructure

The case shows that attackers can survive inside sensitive environments by compromising trusted infrastructure rather than deploying noisy malware. Authentication modules, SSH binaries, and privileged access files need the same level of protection as domain controllers, identity providers, and VPN appliances.

The Hacker News noted that patching alone does not fix this class of compromise because attackers changed trusted programs after gaining access. Defenders need verification, threat hunting, and known-good recovery plans.

For organizations operating isolated or critical networks, the main lesson is clear. Segmentation reduces exposure, but it does not remove the need to inspect the systems that bridge, authenticate, and administer the environment.

FAQ