CyberSecurityBoardThreat Intel · CVEs · Products
Attack Groups

China-Linked Velvet Ant Backdoored Linux PAM and OpenSSH for Nearly a Decade

June 25, 2026

Sygnia, tracking the China-nexus group as Velvet Ant, discovered that the group backdoored Linux PAM and OpenSSH components to maintain persistent access for nearly a decade, with earliest traces dating back to 2016. Instead of deploying new malware, the attackers modified trusted login programs, allowing them to bypass normal detection and credential resets. They replaced the main PAM login module with backdoored copies that either granted access via a secret password or silently captured usernames and passwords. OpenSSH was similarly altered to log credentials and commands, with a hidden switch to disable logging. The group targeted an isolated network with no direct internet access, using an internet-facing web server as a bridge. Sygnia found nine distinct versions of the backdoored PAM module. This campaign, dubbed Operation Highland, follows earlier Velvet Ant operations: in 2024, the group exploited F5 BIG-IP appliances and Cisco NX-OS flaw CVE-2024-20399 to plant backdoors. The article emphasizes that patching alone is insufficient; organizations must verify the integrity of PAM and OpenSSH binaries against known-good copies, test replacements in a lab, and remove backdoors before resetting passwords. It also recommends monitoring for unexpected outbound connections from F5 devices and patching CVE-2024-20399 on Cisco Nexus gear.

CVEs: CVE-2024-20399, CVE-2026-11645

Attack groups: Velvet Ant

Companies: Sygnia, Cisco, F5

Products: PAM, OpenSSH, F5 BIG-IP, Cisco NX-OS

Events: Operation Highland