Sygnia has published a forensic report, Operation Highland, on a China-nexus espionage group it tracks as Velvet Ant (MITRE ATT&CK group G1047). The short version: the attacker did not rely on a novel exploit or a malicious binary dropped into a monitored directory. It compromised the components that decide who is allowed to log in — PAM modules and OpenSSH — and from there sat inside an organization’s internal network for nearly a decade without detection. The earliest forensic artifacts trace back to roughly 2016. For anyone running Linux fleets, this is a reminder that your trusted login path is also an attack surface.
What happened
The target network had no direct internet access. Velvet Ant staged through internet-facing servers first, then worked inward. Sygnia does not say how initial access was obtained, but documents the tooling well:
A modified build of GS-Netcat established a reverse shell to a remote C2 from the internet-facing servers. To pivot deeper, the group used modified Nginx configurations plus a custom binary that opens an SSH connection to an internal server when triggered by an HTTP POST request, and a custom implementation of the open-source ssspl SOCKS5 proxy for tunneling and lateral movement.
None of that is the interesting part. The interesting part is what they did once they had a foothold on enough hosts.
Taking over the authentication layer
Velvet Ant backdoored the authentication stack in three independent layers, so that removing any one of them would not be enough.
First, the PAM modules. The group replaced pam_unix.so, hooking pam_sm_authenticate — the function that actually verifies a login. The backdoored module accepts a hardcoded secret password that bypasses authentication entirely, and silently writes every username and password entered by legitimate users to a hidden file. Sygnia identified nine distinct pam_unix.so variants, each built in a separate compile environment. That level of build discipline points to a well-resourced, deliberate operation rather than an opportunistic one.
Second, the OpenSSH binaries. The modified sshd and ssh captured credentials from both incoming and outgoing connections, logged every command typed during active sessions, and stored the lot in encrypted files disguised to blend into the filesystem. A custom flag could suppress credential and key logging on demand; another flag disguised the process name so it blended in with normal system processes.
Third, the boring-but-durable layer: they appended their own keys to authorized_keys on compromised servers. That grants password-free access that survives a full password rotation — a fallback that works even if the trojanized binaries are found and replaced.
The result is access that is, by design, indistinguishable from legitimate administration. There is no anomalous log entry when the component generating the logs is the backdoor.
Why this is so hard to remove
Eviction here is not “delete a rogue file and restart a service.” Replacing PAM modules and OpenSSH binaries on a live host is genuinely dangerous: a wrong package, an incompatible binary, or a missing dependency can lock administrators out completely. On critical infrastructure, that turns remediation into a production outage. Sygnia notes the affected fleet spanned multiple Linux distributions and versions, so remediation packages had to be tailored per host, tested, and shipped with rollback plans for each failure scenario.
What to do now
There is no CVE and no patch — this is an intrusion pattern, not a single vulnerability. Defenders should:
Verify the integrity of pam_unix.so, sshd, and ssh against known-good distribution packages (compare hashes, not timestamps; reinstall from trusted repos). Audit every authorized_keys file for keys you cannot attribute to a known operator. Watch for PAM modules or SSH binaries that diverge from package-manager checksums, and for hidden files near the auth components.
More broadly, take the lesson Sygnia draws explicitly: signature-based detection and alert-driven SOC workflows fail against a patient adversary that lives inside trusted components. The frame has to shift from “what is known to be malicious” to “what is inconsistent, unexpected, or unjustified in this environment.” Segmented and air-gapped networks are exactly where that proactive hunting matters most, because the assumption of isolation breeds a false sense of security.
Sygnia’s full write-up is available in its Operation Highland report.