Cloud Security

Velvet Ant APT: Auth Stack Hijack for a Full Decade

June 13, 2026 · 9 min read · By William

China’s Velvet Ant threat group maintained undetected access to a critical infrastructure network for nearly a decade by replacing Pluggable Authentication Modules (PAM) and OpenSSH binaries with backdoored versions, enabling credential harvesting and authentication bypass across all compromised hosts. Sygnia’s forensic reconstruction of Operation Highland reveals how attackers engineered an HTTP-based execution bridge into an isolated network and embedded persistence directly into the authentication layer — making conventional remediation ineffective without lab-validated binary replacement.

When Authentication Becomes the Backdoor

Sygnia’s Incident Response team has published a forensic reconstruction of “Operation Highland,” a campaign by the China-nexus threat group Velvet Ant that maintained undetected access to a critical infrastructure network for nearly a decade — since 2016. The target network had no direct internet connectivity. The attacker engineered a multi-stage proxy chain through internet-facing servers to reach it, then replaced Pluggable Authentication Modules (PAM) and OpenSSH binaries across compromised hosts to embed persistence directly into the authentication layer. The result: every login, every credential, and every administrative command became observable and controllable by the threat actor for ten years (Sygnia).

This is not another supply-chain or zero-day story. It is a case study in what happens when an adversary controls the authentication stack itself — and why conventional containment, credential rotation, and endpoint remediation fail against that model. For cloud and on-prem security teams, the operational lessons are immediate.

Multi-Stage Attack Chain Via HTTP

Velvet Ant’s path followed three stages. First, the group compromised internet-facing servers using a modified version of GS-Netcat, a publicly available encrypted reverse shell from the Global Socket Toolkit. The binary was renamed auditdb, placed in /usr/sbin/, and disguised its process name as [khubd] — a legitimate kernel thread — by overwriting its own argv[0] parameter. Persistence was achieved via malicious systemd unit files disguised as Chrome services on newer hosts, and through startup script modifications on older SysVinit systems (Sygnia).

Second, Velvet Ant deployed a custom SOCKS5 proxy written in Perl — based on the open-source ssspl project on GitHub — to tunnel traffic through compromised hosts. The proxy ran as a daemon masquerading as smbd -D, with each sample using a unique filename, process name, and listening port to complicate correlation across hosts (Sygnia).

The third stage is the most technically notable. To reach the isolated critical infrastructure network, Velvet Ant modified the Nginx configuration on a compromised internet-facing server to proxy specific URL requests through to a compromised backend server. The backend’s Nginx config was further altered to forward those requests to a FastCGI process (fcgiwrap), which executed a custom binary named uptime. That binary established SSH connections into the isolated network using parameters supplied via HTTP POST requests. The attacker effectively built a remote execution bridge into a segregated environment using nothing but crafted HTTP requests — no direct network path required (Sygnia).

PAM Hijacking: Nine Variants, One Purpose

Once inside the isolated network, Velvet Ant shifted focus to long-term persistence by targeting the authentication stack. The group replaced legitimate pam_unix.so modules with backdoored versions across multiple compromised hosts. Sygnia identified nine distinct variants, each compiled in a separate build environment — evidence of a structured, per-target build pipeline rather than opportunistic deployment (Sygnia).

The modified pam_sm_authenticate function operated in two primary modes:

Authentication bypass only: The module accepted a hardcoded backdoor password, bypassing the normal verification process entirely. After successful bypass, the password string was immediately overwritten in memory with NULL values to prevent memory forensics from recovering it.
Bypass plus credential harvesting: The module accepted a hardcoded password (one identified example: Pamauth@123456, stored encrypted in the binary) while simultaneously recording every username and password pair submitted by legitimate users into a hidden log file at /usr/sbin/.ssh.log (Sygnia).

The critical implication: a compromised PAM module affects every service that relies on it — SSH, su, sudo, local console login, and any application using PAM-based authentication. The attacker gained visibility into credentials as they were used, transparently and without generating anomalous log entries. Password changes became irrelevant; the new credentials were harvested through the same compromised module (Sygnia). This aligns with findings that stolen credentials drive 31% of breaches — when the credential pipeline itself is compromised, rotation alone cannot break the cycle.

Trojanized OpenSSH: Full Session Visibility

Alongside PAM backdoors, Velvet Ant replaced OpenSSH binaries (ssh, sshd, scp, and in some cases ssh-keygen) with trojanized versions compiled per OS version. Two generations were identified:

Capability	Newer Variant	Older Variant
Credential dump location	`/usr/share/man9/ph/.ph.man`	`/usr/lib/eth-scsi/libethscsi.so`
Keylogging path	`/usr/share/man9/ph/`	`/var/lib/sam/`
Backdoor auth	Hardcoded encrypted password	Seven rotating MD5 hashes (day-of-week based)
Timestomping	All files + directory	Directories only (files left unchanged)
SELinux disabling	Yes (via trojanized scp)	No

Credential dumps recorded connection direction (incoming/outgoing), authentication type (Kerberos, PAM, SSH2), and success status. Keylogging captured every command typed in shell sessions, with log filenames derived from MD5 hashes of connected users and TTY identifiers. The newer variant’s modified scp binary included a custom ! flag that disguised the process as [kauditd] -sh and could disable SELinux when executed as root (Sygnia).

Most notably, the trojanized ssh binary included a custom -d flag that allowed the attacker to disable their own credential logging and keylogging during live operations — a deliberate OpSec measure that eliminated forensic evidence of their own sessions while maintaining visibility into everyone else’s (Sygnia).

Why Remediation Became a Crisis

Standard incident response playbooks assume you can remove malware, rotate credentials, and restore from known-good images. Operation Highland broke that model. The attacker’s persistence was embedded in the same components administrators rely on to access and manage production systems: pam_unix.so, OpenSSH binaries, and authorized_keys files. Replacing a malicious service is trivial; replacing PAM modules and OpenSSH binaries on critical infrastructure without locking administrators out of a host is an engineering problem — one that echoes the remediation challenges seen in the Dell RecoverPoint ghost NIC backdoor incident, where firmware-level persistence similarly defied conventional cleanup (Sygnia).

Compounding the challenge: the server estate spanned multiple Linux distributions and versions, each with its own binaries, libraries, PAM implementation, and OpenSSH build. A remediation package that was safe for one host could brick another. Most systems had no internet access, ruling out live package pulls or dependency resolution. Sygnia established a testing lab to validate binary replacements before production execution, profiled each host individually, prepared rollback procedures, and validated SSH and authentication health as part of the remediation step — not as a post-cleanup afterthought (Sygnia).

Credential rotation had to wait until persistence was fully removed. Otherwise, new passwords would simply be harvested through the same compromised PAM and OpenSSH components. The remediation was serialized and encoded to move eradication logic into the restricted network in a controlled, verifiable manner (Sygnia).

What This Means for Your Environment

Velvet Ant has a documented track record. Sygnia previously reported on the group abusing F5 BIG-IP appliances and legacy Windows infrastructure for long-term persistence. In 2024, Cisco confirmed a Velvet Ant zero-day (CVE-2024-20399) in NX-OS running on Nexus switches, used to deploy a hybrid backdoor (VELVETSHELL) directly on network infrastructure (BleepingComputer). The pattern is consistent: escalate when detected, pivot to less-monitored infrastructure, rebuild persistence from a new vantage point.

The specific techniques — PAM replacement, OpenSSH trojanization, Nginx/FastCGI proxying — are not zero-days. They are configuration-level modifications and binary replacements that operate below the detection threshold of most endpoint tooling. As Cloudflare’s 2026 threat report confirms, sophisticated adversaries increasingly bypass perimeter defenses by hijacking authentication flows rather than exploiting boundary vulnerabilities. This is what makes Velvet Ant’s approach dangerous.

Detection and Hardening Checklist

Based on the Sygnia findings, security teams should immediately evaluate the following controls:

File Integrity Monitoring on authentication components: Deploy FIM specifically on /lib/security/, /usr/sbin/, and OpenSSH binary paths. Alert on any modification to pam_unix.so, ssh, sshd, or scp. Forward alerts to the SIEM with high-priority routing (Sygnia).
RPATH inspection: The backdoored PAM modules contained embedded RPATH values pointing to build directories (e.g., /home/kevin/Desktop/Linux-PAM-... and /c/src/Linux-PAM-...). Scan shared libraries for unexpected RPATH entries as a detection signal (Sygnia).
Hidden file and directory hunting: Search for credential stores at /usr/sbin/.ssh.log, /usr/share/man9/ph/, /usr/lib/eth-scsi/, and /var/lib/sam/. These paths were used across multiple hosts and represent reliable indicators of compromise (Sygnia).
Nginx configuration auditing: Velvet Ant modified Nginx configs to create execution bridges. Audit all internet-facing and internal Nginx servers for unauthorized proxy_pass, fastcgi_pass, and location directive changes. Compare against version-controlled baselines (Sygnia).
authorized_keys validation: Audit all authorized_keys files across the estate for unrecognized public keys. Velvet Ant appended their own keys as a durable, independent persistence layer (Sygnia).
Privileged access hardening: Disable direct root SSH login, enforce named accounts with scoped sudo, route administration through hardened jump hosts, and require MFA before access reaches critical hosts — not only at the host-level flow (Sygnia).
Offline recovery planning: Maintain immutable backups with tested recovery procedures. Validate replacement binaries in a lab before deploying to production. For isolated environments, pre-stage trusted packages and ensure EDR telemetry can reach the SIEM via approved relays (Sygnia).

The Broader Lesson

Operation Highland demonstrates that the authentication layer — PAM, OpenSSH, LSASS, and equivalent components — is the highest-value target for sophisticated adversaries. When an attacker controls authentication, they control everything: credentials, sessions, command visibility, and the remediation process itself. Traditional detection that focuses on malware signatures, network anomalies, and user behavior baselines will miss binary-level modifications to core system libraries.

The ten-year dwell time is not an outlier caused by negligence. It is the predictable outcome of a threat model that treats authentication infrastructure as a trusted component rather than a critical attack surface. Velvet Ant exploited that trust gap methodically. Every security team should be asking the same question Sygnia was forced to answer the hard way: if an adversary replaced your PAM modules tomorrow, how long would it take you to notice — and what would you do when simply rotating credentials makes the problem worse?