Sygnia published research this week on Operation Highland, a China-nexus intrusion campaign by the threat actor tracked as Velvet Ant that persisted inside a target organisation’s network from at least 2016 until discovery in 2026. The mechanism that made it so durable was surgical: the attackers replaced legitimate Linux Pluggable Authentication Module (PAM) and OpenSSH binaries with backdoored versions, embedding persistent access directly into the authentication stack. Every login became an intelligence feed; access was no longer tied to a specific vulnerable service but woven into the process that decides who is allowed in at all.
What Velvet Ant Did
The attack chain began with compromise of internet-exposed servers — a standard initial access vector. What followed was unusual in its precision and persistence.
Velvet Ant replaced pam_unix.so — the module responsible for Unix password authentication — with maliciously modified versions. Sygnia identified nine distinct variants, each compiled in a separate build environment, indicating a well-resourced and operationally compartmentalised actor. The modified modules functioned in two ways simultaneously: they accepted a hardcoded backdoor password that granted authentication regardless of the legitimate credential store, and they harvested credentials from every genuine authentication attempt, logging them for later retrieval.
The group applied the same approach to OpenSSH. The ssh, sshd, and scp binaries were replaced with trojanised versions that captured credentials and logged every command entered during SSH sessions. The collected data was stored locally and exfiltrated through a custom SOCKS5 proxy configured to run as a daemon masquerading as the legitimate Samba daemon (smbd -D) — blending into normal system process lists.
The target included a physically isolated internal network segment. Velvet Ant bridged this air gap using the SOCKS5 infrastructure, pivoting from internet-exposed hosts into a network zone designed to be unreachable from outside.
Why This Matters
The authentication layer is the last place most security programmes look for compromise. Endpoint detection typically monitors for process execution anomalies, unusual network connections, and known malware signatures. A backdoored pam_unix.so that passes all legitimate authentication checks, logs credentials quietly, and accepts a hardcoded password generates few of these signals. Nine compiled variants suggest the actor has refined this technique across multiple engagements — this is not a proof-of-concept; it is a mature operational capability.
The decade-long persistence window is itself significant. Velvet Ant’s access survived multiple likely incident response cycles at the target. The implication for defender teams is uncomfortable: if this technique has been deployed against your environment and has not been specifically hunted for, standard remediation — reimaging compromised hosts, resetting credentials — may have missed it entirely. PAM modifications survive credential rotations. They survive endpoint agent deployments. They survive most of what network defenders do in response to a detected intrusion.
Sectors at Risk
Organisations running Linux-based infrastructure in sectors where long-term intelligence value is high are the most relevant exposure. Finance — trading platforms, core banking systems, payment infrastructure — relies heavily on Linux, and the credential-harvesting capability would grant persistent lateral movement potential across interconnected systems. Communications operators, where the intelligence value of traffic metadata and routing data is well understood from prior Chinese APT campaigns (Salt Typhoon being the most documented), face direct relevance. Critical infrastructure environments, including those with air-gapped or segmented OT-adjacent networks, should treat the SOCKS5 pivot technique as a specific concern.
Recommended Actions
Audit PAM modules immediately. Compare installed pam_unix.so hashes across all Linux hosts against known-good versions from the package manager cache or a trusted baseline. Discrepancies warrant immediate investigation. Automate this check — it should be a standing item in Linux integrity monitoring.
Verify OpenSSH binary integrity. Use file integrity monitoring (FIM) tools — AIDE, Tripwire, or equivalent — to baseline and continuously monitor SSH binaries. Any replacement or modification of ssh, sshd, or scp is a high-severity alert.
Hunt for masquerading processes. Look for smbd processes running with unusual command-line arguments (-D flag usage without legitimate Samba infrastructure), unusual parent processes, or network connections inconsistent with the expected SMB service profile.
Review isolated network bridging assumptions. If you operate air-gapped or heavily segmented network zones, audit the SOCKS proxy configurations and inter-zone connectivity on the hosts adjacent to those boundaries. Velvet Ant’s pivot relied on existing connectivity that operators may not have recognised as a bridging risk.
Treat Linux identity infrastructure as a tier-one attack surface. PAM, OpenSSH, and sudo configurations belong in your highest-priority integrity monitoring tier — alongside kernel modules and bootloader integrity.