China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Summary

A China-nexus threat group, tracked as Velvet Ant, has been using backdoored PAM and OpenSSH components on Linux systems to maintain stealthy access for up to a decade, with the earliest traces dating back to 2016. The attackers modified trusted login programs to log credentials and commands, bypassing traditional security measures and making cleanup difficult. This tactic is part of a broader strategy by Velvet Ant to compromise less-monitored infrastructure, including previous attacks involving F5 BIG-IP appliances and Cisco NX-OS vulnerabilities.

Full text

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Swati KhandelwalJun 12, 2026Linux / Network Security Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no direct internet access, so the group first staged through internet-facing systems to get there. The earliest traces go back to 2016. Instead of dropping new malware that a scanner might catch, the attacker changed the trusted login programs themselves. Nothing obvious appeared, and no exploit was needed, so the activity looked like normal administration. On many machines, the attacker replaced the main PAM login module with backdoored copies. Some let them in with a secret password; others quietly recorded real usernames and passwords as people logged in. Researchers found nine separate versions. The OpenSSH programs were altered the same way, logging credentials and every command typed, with a hidden switch to turn that logging off when needed. Reaching the isolated network at all took extra work. The attacker used other disguised tools and an internet-facing web server as a bridge, passing commands through it to open remote sessions deep inside the segment that had no direct internet access. Because the login system itself was compromised, normal containment did little. Password resets and killed sessions do not help when the thing that checks those credentials is working for the attacker. This is not new for the group. Each time defenders find one foothold, Velvet Ant moves to gear they watch less and sets up there. In a 2024 case, Sygnia found the same actor turning internet-exposed F5 BIG-IP appliances into internal command servers. Later that year, it reported the group exploiting a Cisco NX-OS flaw, CVE-2024-20399, to plant a backdoor on the switches. That bug needs admin access first, so it is a persistence tool, not a remote break-in. Cisco patched it in July 2024, and CISA flagged it as exploited the next day. Operation Highland is the same idea, one level deeper. Load balancers, switches, and the login software itself are trusted by default and rarely checked, which is exactly why a patient attacker hides inside them. Operation Highland is not a one-CVE problem. The attacker changed trusted programs after getting in, so the fix is verification, not patching, and cleanup is delicate: a wrong replacement can lock admins out of a live system. Watch the login files. Monitor the PAM and OpenSSH programs and their key files for any change, and alert when they change. Hunt by checking what changed, not by waiting for an alert. Compare these programs against known-good copies, because nothing will flag them for you. Remove the backdoor before resetting passwords, or the new ones get stolen the same way. Test any replacement in a lab first. The earlier F5 and Cisco cases have their own checks: patch CVE-2024-20399 on Cisco Nexus gear, and watch F5 boxes for unexpected outbound connections. The wider lesson is plain: infrastructure that sits outside normal monitoring still needs integrity checks, and that now includes the login layer. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Backdoor, china, Credential Theft, cybersecurity, linux, network security, OpenSSH, PAM, Vulnerability Management ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]

Indicators of Compromise

• cve — CVE-2024-20399

Entities