A China-nexus threat actor tracked as Velvet Ant spent nearly a decade hidden inside enterprise Linux environments by doing something most defenders don't watch closely enough: backdooring the authentication software itself. Researchers at Sygnia disclosed the campaign on June 12, 2026, detailing how the group modified PAM (Pluggable Authentication Modules) and OpenSSH — the foundational components that control who is permitted to sign in on Linux systems.
The Attack: Hiding in Plain Authentication
Rather than deploying persistent malware in locations defenders typically monitor — user directories, scheduled tasks, or application-layer processes — Velvet Ant embedded backdoors at the OS authentication layer. By compromising PAM and OpenSSH, the group ensured:
- Every login attempt passed through their backdoored code — giving them visibility into all credentials used on the system
- Their own access remained invisible to conventional monitoring — authentication through the backdoor appeared as legitimate logins in system logs
- The backdoors survived patching and system updates in many cases, since organizations often neglect to verify the integrity of installed authentication binaries
PAM is the framework underlying authentication for virtually all Linux login mechanisms — local terminal, SSH, sudo, and countless applications. Modifying it provides a surveillance and access chokepoint unlike any other persistence mechanism.
Timeline: A Decade of Dwell Time
Sygnia's analysis indicates Velvet Ant maintained access to at least some victim environments for close to ten years — an extraordinary dwell time that underscores how effective targeting of rarely-audited system components can be. The group's persistence strategy was designed for longevity:
| Phase | Technique |
|---|---|
| Initial Access | Spearphishing or exploitation of externally-facing services |
| Establishment | Deploy modified PAM and OpenSSH binaries replacing legitimate ones |
| Credential Harvesting | PAM backdoor captures all authentication credentials silently |
| Persistent Access | Backdoored OpenSSH accepts hardcoded attacker key regardless of account |
| Detection Evasion | Legitimate-looking log entries; no external C2 required for access |
| Long-term Persistence | Survives reboots, account changes, and partial remediation |
Victims and Targeting
While Sygnia did not name specific victims, the firm indicated Velvet Ant focused on high-value enterprise targets — consistent with Chinese state-sponsored espionage objectives that prioritize strategic intelligence collection over financial gain. The campaign's focus on Linux infrastructure suggests targeting of:
- Telecommunications providers (core network infrastructure runs Linux)
- Enterprise data centers and cloud environments
- Defense and government contractors using Linux-based servers
- Financial institutions with Linux-based transaction and trading systems
The multi-year access implies the attackers were engaged in sustained intelligence collection rather than opportunistic data theft.
Why This Attack is Particularly Dangerous
The Authenticity Problem
When authentication software itself is compromised, defenders lose their primary trust anchor. Standard security controls that rely on authentication integrity — SIEM alerting on failed login patterns, PAM-based multi-factor authentication, SSH key auditing — can all be silently bypassed or manipulated by code running inside the authentication layer.
Log Manipulation Capability
With access to PAM and OpenSSH, the threat actor could:
- Suppress log entries for their own access sessions
- Generate plausible decoy log entries to mask anomalies
- Monitor and exfiltrate credentials in real-time as legitimate users authenticate
Credential Harvesting at Scale
A PAM backdoor positioned to capture credentials at authentication time has access to every password used on that system — including service accounts, privileged users, and credentials that may be reused across multiple systems. The cascading exposure from a single compromised authentication stack can be enormous.
Detection Challenges
Detecting this type of compromise is significantly harder than finding conventional malware:
File Integrity Monitoring (FIM): Most FIM solutions monitor application files and user directories. Authentication binaries like /lib/security/pam_*.so, /usr/lib/openssh/ssh-keysign, and the sshd binary itself are often excluded from regular integrity checks.
Log Analysis: Since the attacker controls what gets written to authentication logs, SIEM rules based on login anomalies will have reduced effectiveness once the backdoor is operational.
Behavioral Analysis: Access through the backdoor may be intentionally disguised to mimic legitimate admin activity patterns.
How to Detect Velvet Ant-Style Compromises
Binary Integrity Verification
# Verify PAM libraries against known-good hashes
rpm -V pam # Red Hat/CentOS
dpkg --verify libpam-runtime # Debian/Ubuntu
# Check OpenSSH binary integrity
sha256sum /usr/sbin/sshd
# Compare against package repository hash
# Look for unauthorized SUID binaries in PAM directories
find /lib/security /usr/lib/security -perm /4000 -lsOpenSSH Anomaly Detection
# Check for unexpected authorized_keys entries
find /home -name authorized_keys -exec cat {} \;
cat /root/.ssh/authorized_keys
# Verify sshd configuration for unauthorized changes
grep -E "AuthorizedKeysFile|PermitRootLogin|PasswordAuthentication" /etc/ssh/sshd_config
# Check running sshd binary matches installed package
ls -la /proc/$(pgrep sshd | head -1)/exePAM Configuration Audit
# Review PAM configuration for unexpected modules
grep -r "pam_" /etc/pam.d/ | grep -v "^#"
# Check for PAM modules not part of installed packages
ldd /lib/security/*.so | grep "not found"Remediation Guidance
For organizations concerned about potential exposure:
- Audit authentication binary integrity — compare installed PAM and OpenSSH binaries against verified package hashes from the distribution's official repositories
- Enable file integrity monitoring on authentication paths — add
/lib/security/,/usr/lib/security/,/usr/sbin/sshd, and/etc/pam.d/to FIM coverage - Rotate all credentials for any system found to have tampered authentication binaries — assume all credentials that passed through the system were captured
- Implement SSH certificate-based authentication using a separate certificate authority, making stolen long-lived SSH keys less useful
- Deploy network-based authentication monitoring — log all SSH connection attempts to a tamper-resistant, off-host logging system that PAM cannot reach
The Broader Lesson
Velvet Ant's approach represents a maturation in APT persistence techniques. By targeting the authentication layer rather than higher-level application or user-space components, the group achieved:
- Near-zero detection probability from conventional security tooling
- Automatic access to every credential used on compromised systems
- Multi-year dwell times enabling patient intelligence collection
The incident reinforces that Linux authentication infrastructure must be included in routine integrity verification programs — a gap that exists in many enterprise environments that have invested heavily in Windows endpoint security while treating Linux servers as lower-risk managed infrastructure.