China-Linked Hackers Hijacked Linux Login System for Nearly a Decade

A Decade in the Shadows

A China-nexus espionage group quietly inhabited an organisation's most sensitive network for close to ten years, evading detection by rewriting the very software that handles user logins, according to a forensic investigation published this week by incident-response firm Sygnia. The intrusion, which Sygnia calls Operation Highland, is attributed to a threat actor the firm tracks as Velvet Ant. The earliest forensic traces date back to 2016, meaning the group maintained access for nearly a decade before being discovered.

Inside the Authentication Stack

Rather than relying on a single implant that defenders could find and remove, Velvet Ant replaced pam_unix.so — the Linux Pluggable Authentication Module that checks passwords — and several OpenSSH binaries with backdoored versions across multiple hosts. This gave the attackers a hidden bypass to log in as any user and a built-in keylogger that captured legitimate credentials as administrators typed them.

Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate build environment, pointing to a well-resourced and deliberate operation. The tampered SSH binaries carried a custom flag to suppress their own credential logging, letting operators manage their forensic footprint during live activity. The targeted critical network had no direct internet connection. Velvet Ant reached it through a multi-stage lateral path: first compromising internet-facing servers, then tunnelling through the corporate IT network using a modified version of GS-Netcat renamed "auditdb" and dropped into /usr/sbin/ to blend in with system utilities.

Why Cleanup Is Unusually Risky

Because the attackers controlled the components that handle remote access and system administration, standard containment steps proved ineffective. The backdoors survived password changes and session terminations. Sygnia stresses that incorrect replacements of compromised binaries on live systems could lock administrators out entirely, and that backdoors must be removed before resetting passwords to prevent credential re-theft. The firm recommends monitoring PAM modules and OpenSSH binaries for unexpected changes, validating login-related files against known-good baselines, and hunting for unauthorised authorized_keys entries.

A Familiar Pattern

This is not the first time Sygnia has documented Velvet Ant's persistence-focused tradecraft. The firm previously tied the group to the abuse of F5 BIG-IP appliances and exploitation of CVE-2024-20399, a zero-day in Cisco NX-OS, to plant backdoors on Nexus switches. The consistent pattern: when detected, Velvet Ant pivots to less-monitored infrastructure and rebuilds. The disclosure arrives amid a broader wave of warnings about Chinese cyber operations against critical infrastructure. CrowdStrike reported this week that China-nexus adversaries drove more than 58% of state-sponsored intrusions against technology entities between April 2025 and March 2026.