A long-running, highly disciplined intrusion attributed to the China-nexus actor known as Velvet Ant has been revealed as a near-decade campaign of silent access that culminated in the replacement of core authentication components OpenSSH binaries and PAM modules across a segregated critical-infrastructure network.
The intrusion chain began with compromises of internet-facing systems where the operator deployed custom tools to establish covert command and control and tunneling capabilities.
A modified GS‑Netcat binary masquerading as a kernel thread (auditdb) provided encrypted reverse-shells back to relay infrastructure, while a bespoke SOCKS5 proxy allowed lateral traffic routing.
Velvet Ant further abused web infrastructure by reconfiguring Nginx and chaining FastCGI wrappers to execute binaries on back-end hosts, creating an HTTP-triggered execution bridge into the segmented environment.
According to Sygnia’s incident response reconstruction of Operation Highland places the earliest activity in the environment back to 2016, exposing a persistent, multi-stage attack that bypassed network segmentation and embedded itself in the very mechanisms.
Velvet Ant deployed a modified version of GS-Netcat on internet-facing servers to establish a reverse shell connection to a remote C2 server.
This deliberate staging allowed the actor to reach internal critical hosts without any direct external connectivity.
Velvet Ant Hackers Backdoor OpenSSH
Once inside, the adversary conducted a methodical assault on the authentication stack. Sygnia identified nine distinct backdoored pam_unix.so variants compiled in separate build environments, demonstrating a structured pipeline and significant resourcing.
These malicious PAM modules either accepted hardcoded backdoor passwords, harvested legitimate credentials to hidden stores, or performed both functions.
Because PAM underlies many login flows, the modifications gave Velvet Ant transparent, universal control over authentication, enabling access that survived password rotations and ordinary containment efforts.
Complementing PAM tampering, Velvet Ant deployed multiple modified OpenSSH suites across hosts. Malicious versions of ssh, sshd and scp were observed performing credential dumping, encrypted command keylogging, SELinux disabling when executed as root, process disguising, and timestomping to erase forensic timelines.
![Decrypted credential dump from /usr/share/man9/ph/.ph.man, showing entries in the format [Connection Direction][Authentication Type][Success Status]-user@IP:port- width=](https://www.sygnia.co/wp-content/uploads/2026/06/enhanced_quality-1536x550.png)
password (Source : Sygnia).”/>The actors even added a bespoke -d flag to newer ssh binaries, allowing them to suspend credential and session logging for their own sessions an operational security (OpSec) refinement that reduced detectable traces during active operations.
Each entry contained the following flags:
– Connection direction: O (outgoing) / I (incoming)
– Authentication type: B (Kerberos authentication), C (PAM authentication), X (SSH2 authentication), etc.
– Success status: Y (successful) / N (unsuccessful).
An older variant used a rotating set of encrypted MD5 hashes as backdoor tokens, changing the effective password daily to frustrate detection.
The malicious scp binary could disable SELinux when executed as root, since only the root user can modify SELinux settings.
The combined compromise of PAM, OpenSSH, and authorized_keys effected layered persistence: authentication bypass, credential exfiltration, and durable SSH-key access.
That architecture made remediation uniquely hazardous in a critical environment. Replacing corrupted PAM modules or SSH binaries carries immediate risk of administrator lockout or production outages, especially in air-gapped or internet-restricted networks where live package pulls and dependency resolution are impossible.
Sygnia’s remediation emphasized laboratory testing, per-host profiling to identify compatible replacement binaries, serialized deployment into the isolated environment, and explicit rollback plans to avoid inadvertently denying access during cleanup.
Defenders should treat authentication subsystems as primary attack surfaces. Recommended mitigations include endpoint visibility (EDR) and telemetry relays for isolated networks, file-integrity monitoring focused on PAM and OpenSSH artifacts, strict privileged-access controls, vaulting credentials, disabling direct root SSH, and routing administration through hardened jump hosts with MFA enforced before reaching critical hosts.
Rotation of credentials must occur only after persistence is removed, and organizations should prepare golden recovery hosts and offline, immutable backups to permit safe restoration.
Operation Highland exemplifies how a patient, well-resourced actor can weaponize the authentication layer to achieve stealthy long-term access inside segregated infrastructure.
The investigation and advisory materials from Sygnia, including their prior reporting on Velvet Ant’s exploitation of F5 BIG‑IP appliances and the CVE‑2024‑20399 Cisco NX‑OS zero-day and the VELVETSHELL backdoor on Nexus switches, provide detailed indicators and remediation guidance and should be consulted by teams defending high-value operational environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
