HIGH: Velvet Ant Backdoored Linux PAM and OpenSSH to Live in One Network for Nearly a Decade

If you ever wanted a clean example of why endpoint detection and response tools are not a substitute for actually owning your authentication stack, Sygnia just handed you one. The Israeli incident response firm published research this week on a China-nexus intrusion it has been chasing for the better part of a year, and the punchline is brutal. A group it tracks as Velvet Ant spent close to a decade inside one victim network without anyone noticing, because instead of dropping the usual implant-and-beacon malware, the operators replaced the Pluggable Authentication Modules and OpenSSH binaries on Linux servers with backdoored copies. When the login system itself is the malware, password resets and session kills do not save you. The compromised stack happily authenticates the attacker, logs everyone else's credentials, and quietly forwards them somewhere useful.

Sygnia calls the campaign Operation Highland, and the timeline reads like a slow-motion nightmare. The earliest forensic traces stretch back to 2016, which means this group sat in production infrastructure across two presidential administrations, four major Linux kernel releases, multiple SIEM platform refreshes, and at least three internal security audits. The victim, which Sygnia has not named publicly but which industry context places in a high-value Asia-Pacific manufacturing or critical infrastructure environment, ran a network with no direct internet egress from the most sensitive segments. Velvet Ant solved that problem by staging through internet-facing web servers and using them as command bridges into the air-gapped zones, then established persistence inside the authentication layer where most security teams never look.

The technical work is the part that should make every Linux administrator uneasy. Sygnia identified nine distinct variants of backdoored PAM modules deployed across the environment. Some let the operators in with a hardcoded secret password that bypassed every other authentication factor on the system. Others were silent credential harvesters, logging real usernames and passwords as legitimate users authenticated. The OpenSSH binaries on those same hosts were patched the same way, with credential capture during normal logins and a hidden switch that the operators could flip to turn logging off when they wanted to come in clean. The captured credentials and command histories were staged locally and then exfiltrated out through the internet-facing bridge hosts on whatever schedule kept the noise low.

For defenders who are used to thinking in terms of file system monitoring and process anomalies, this is a particularly nasty class of compromise. The backdoored PAM modules live exactly where the legitimate ones live, under /lib/security or /lib64/security depending on the distribution, and the OpenSSH binaries live in the same paths the package manager expects. The file modification times can be massaged. The on-disk size of the modified module is usually a close match for the original. The binaries continue to behave correctly for every legitimate login event, which means functional testing does not flag them. The only way to catch this kind of compromise from the outside is to compare the on-disk hash of every PAM module and OpenSSH binary against a known-good copy sourced from a clean distribution image, which is exactly the kind of integrity check that most Linux fleets never run.

Velvet Ant is not a new name in threat intel. The group has been on Sygnia's radar since at least 2024, when researchers first connected it to the exploitation of CVE-2024-20399 against Cisco NX-OS switches and a separate campaign that lived inside compromised F5 BIG-IP appliances for years at a time. The throughline across all of those engagements is a consistent strategic preference for infrastructure components that defenders rarely look at and that vendors rarely instrument. Switches, load balancers, and authentication libraries are exactly the parts of the stack that most security programs treat as black boxes, and Velvet Ant has built an entire tradecraft around that blind spot. The PAM and OpenSSH work is the natural next step in that progression, because the Linux authentication stack is older than most of the engineers maintaining it and is documented in places that most blue teams have never bothered to read.

Attribution to a Chinese state-aligned actor rests on a familiar bundle of indicators. Tooling timestamps cluster in working hours that align with UTC plus 8. The command and control infrastructure rotates through ranges historically used by other China-nexus clusters. The strategic targeting pattern, with a heavy emphasis on long-duration espionage against high-value technology and manufacturing victims in Asia-Pacific, is consistent with what other vendors have published about adjacent groups. None of that is conclusive on its own, but in aggregate it lines up with the broader China-nexus operational pattern that Mandiant, CrowdStrike, and Microsoft have been describing for years. Sygnia stops short of explicit ministry attribution, which is the correct call given the evidence available.

The same week Sygnia published its research, separate work from Group-IB and Flare surfaced a parallel concern that is worth keeping in the same mental folder. A Linux PAM backdoor called PamDOORa appeared for sale on a Russian-speaking cybercrime forum called Rehub in early May, listed under the handle darkworm at an initial price of $1,600 and later cut to $900. PamDOORa is more straightforward than the Velvet Ant variants. It abuses the legitimate pam_exec module to inject a malicious pam_linux.so that opens a TCP port, accepts a magic password, intercepts credentials with XOR-encrypted runtime keys, and wipes login traces from lastlog, btmp, utmp, and wtmp on the way out. It targets /etc/pam.d/sshd specifically, and the operator drops a tn.sh execution script along with the module. PamDOORa is post-exploitation tooling that requires root to deploy, so it does not get you into the box on its own, but once it is on the system the operator inherits much of the same stealth that took Velvet Ant a decade to develop. The fact that a workable PAM backdoor is now a $900 commodity matters, because it means the cost of replicating Velvet Ant's authentication-layer tradecraft is now within reach of any ransomware affiliate with a foothold and a screwdriver.

The detection playbook for both threats is the same and it is uncomfortable to implement. You need file integrity monitoring against the PAM module directories, the OpenSSH binary paths, and /etc/pam.d configuration files on every Linux host you run. You need a clean baseline of cryptographic hashes for every module across every distribution and version you operate, ideally sourced directly from your package manager's verification database rather than from whatever happens to be on disk. You need outbound network egress monitoring that can spot unexplained connections from authentication-related processes, because a legitimate PAM module does not have any business reaching out to the internet during a login event. And you need to be reading lastlog, btmp, utmp, and wtmp in a way that survives tampering, which usually means streaming those files off the host in near real time to a write-once store.

Containment is the other half, and this is where Operation Highland is a cautionary tale. Sygnia's responders found that resetting credentials and terminating active sessions did nothing to evict the operators, because the compromised authentication system continued to accept the hardcoded backdoor password. The only way to actually clean the environment was to rebuild the affected hosts from known-good images, restore configuration from a trusted source, and then rotate credentials after the new authentication stack was in place. That sequence sounds obvious on paper. Anyone who has tried to coordinate it across a fleet of production Linux hosts in a manufacturing environment knows that it is anything but, and the time required to do it correctly is exactly the time the operator uses to dig deeper.

For MSPs running managed security operations for clients with significant Linux footprints, particularly in manufacturing, critical infrastructure, higher education, and any vertical that handles regulated technology, this is a clean opportunity to lead with a Linux authentication stack assessment as a paid engagement. Pair that with a recurring file integrity monitoring service tuned for PAM and OpenSSH baselines and you have a recurring revenue line that maps directly to a real and currently underserved risk surface.