Velvet Ant "Operation Highland": China-Nexus APT Backdoors the Linux Authentication Layer, Hiding for Nearly a Decade

Executive Summary

Velvet Ant — a China-nexus APT tracked by Sygnia — modified the very components that decide "who is allowed to sign in" on Linux systems: the PAM library (pam_unix.so) and OpenSSH binaries (ssh, sshd, scp). By replacing trusted login programs with backdoored versions, the attacker could both bypass authentication using a hardcoded password and harvest the credentials of legitimate users as they logged in, while logging every command typed.

The targeted network was critical infrastructure with no direct internet connectivity. The earliest forensic traces reach back to 2016 — nearly a decade of undetected presence. Because the malware lives inside the credential-checking mechanism itself, ordinary containment such as password resets or killing sessions is largely ineffective: new credentials are stolen the same way through the same modified pam_unix.so / sshd path.

The single most important action right now: on critical Linux hosts, compare pam_unix.so and the OpenSSH binaries against known-good copies (verify hashes/package signatures), and remove the backdoor BEFORE rotating any credentials — rotate first and the new passwords get harvested immediately.

---

Who is Velvet Ant

Velvet Ant is not a single campaign. Across multiple investigations, Sygnia has documented a consistent pattern: each time a foothold is discovered and remediated, the group pivots to less-monitored infrastructure and rebuilds persistence from a new vantage point.

• 2023 — PlugX/ShadowPad: in an intrusion lasting ~3 years, the group used the PlugX RAT (DLL side-loading via iviewers.exe); when evicted, it reconfigured PlugX to use an internal file server as C2, blending traffic with legitimate internal flows.

• F5 BIG-IP as internal C2: abused a legacy, internet-exposed F5 appliance running an outdated OS as a beachhead — deploying VELVETSTING (hourly C2 beacon over port 8443), VELVETTAP (packet capture), and SAMRID (EarthWorm SOCKS proxy).

• 2024 — CVE-2024-20399 (Cisco NX-OS): exploited the flaw to plant a backdoor (VELVETSHELL) directly on Cisco Nexus switches.

• Now — Operation Highland: the same idea, one level deeper — controlling the authentication mechanism every service relies on.

---

Kill chain (three stages)

The defining trait of Operation Highland: the target network had no direct internet path. Unable to break in directly, the attacker engineered a multi-stage access chain — establishing a foothold on internet-facing systems, then traversing the IT network to reach the segregated critical-infrastructure segment.

---

Technical analysis

1. Backdoored pam_unix.so — bypass and credential harvesting

PAM sits below the application layer: a backdoored PAM module affects every service that relies on it, transparently and without generating anomalous log entries. Sygnia found nine modified pam_unix.so files, each compiled in a separate build environment (distinct RPATHs) — indicative of a structured, per-target build pipeline. The targeted function is pam_sm_authenticate, with two primary variants:

• Bypass only: accepts a hardcoded backdoor password; after bypass, the password string in memory is overwritten with NULLs to evade detection.

• Bypass + harvest: accepts the backdoor password Pamauth@123456 (stored encrypted in the binary); if a user's password does not match, it records both username and password to a hidden file at /usr/sbin/.ssh.log.

2. Modified OpenSSH — credential theft, keylogging, and anti-forensics

The OpenSSH suite (ssh, sshd, scp) was replaced with malicious builds carrying these capabilities:

• Credential dumping: writes encrypted credentials (both directions) to /usr/share/man9/ph/.ph.man, tagged with connection direction (O/I), auth type (B/C/X…), and success status (Y/N).

• Keylogging: logs every shell command, with filenames derived from the MD5 of the user + TTY.

• -d flag to disable its own logging: lets the attacker operate through the backdoored binary without leaving evidence of their own activity — a hallmark of high OpSec.

• Timestomping: all files/directories under /usr/share/man9/ph/ are restamped to match /etc/shells.

• SELinux disabling: the malicious scp can disable SELinux when run as root.

• Process hiding (! flag): disguises the process name as [kauditd] -sh to blend in with the legitimate audit daemon. An older variant wrote credentials to /usr/lib/eth-scsi/libethscsi.so and keylogs to /var/lib/sam/ (format sam_{timestamp}) — these older logs allowed Sygnia to trace the earliest activity back to 2016.

3. authorized_keys

Alongside the PAM/OpenSSH modifications, the group appended its own public keys to authorized_keys on compromised servers — a third, simpler but durable persistence layer operating independently of the backdoored binaries.

---

OpSec and why eradication is so hard

This was not a standard persistence cleanup. When the attacker controls authentication itself, you cannot "delete first, validate later": their persistence lives in the same components (pam_unix.so, ssh/sshd/scp, authorized_keys) that administrators rely on to access and manage production systems. A wrong package, an incompatible binary, or a missing dependency can completely lock admins out of a host — turning remediation into a production outage. Eradication therefore had to be engineered carefully: lab testing first, per-host profiling, prepared rollback options, and SSH/auth health validation immediately after each step.

---

Detection & Hunting

Operation Highland is a case study in why signature-based detection and alert-driven operations fall short against a patient APT: there is no novel exploit to catch and no malicious binary dropping into a monitored directory. Detection depends on proactive, hypothesis-driven threat hunting — asking questions the SIEM was never configured to answer.

• File Integrity Monitoring (FIM) on TTP-relevant paths: pam_unix.so, /etc/pam.d/, OpenSSH binaries (ssh, sshd, scp, sftp, ssh-keygen), sshd_config, privileged authorized_keys, systemd unit files / SysVinit scripts, /etc/sudoers.

• Compare binaries against known-good (hashes/package signatures) rather than waiting for an alert — nothing will flag them for you.

• Hunt auth-layer artifacts: paths /usr/share/man9/ph/, hidden file /usr/sbin/.ssh.log, /usr/lib/eth-scsi/, /var/lib/sam/; unusual RPATHs in PAM (/home/kevin/Desktop/Linux-PAM-*, /c/src/Linux-PAM-*).

• Windows equivalent: apply the same principle to LSASS/LSA on Domain Controllers (monitor LSASS access, unexpected module loads, Skeleton Key-style changes to Authentication Packages).

---

MITRE ATT&CK (from Sygnia's Velvet Ant advisories)

Tactic	Technique
Initial Access	T1133 – External Remote Services
Execution	T1047 – WMI; T1059.008 – Network Device CLI
Persistence	T1037.004 – RC Scripts; T1556 – Modify Authentication Process (PAM/SSH); T1098.004 – SSH Authorized Keys
Defense Evasion	T1070.006 – Timestomp; T1036.005 – Masquerading; T1562.004 – Disable System Firewall; T1564 – Hide Artifacts
Credential Access	T1003 – OS Credential Dumping; T1056.001 – Keylogging
Lateral Movement	T1021.004 – SSH; T1021.002 – SMB; T1570 – Lateral Tool Transfer
Command & Control	T1572 – Protocol Tunneling; T1090.001 – Internal Proxy

Note: T1556 / T1098.004 / T1056.001 map to Operation Highland (auth layer); the remaining techniques are aggregated from the 2024 Velvet Ant advisory.

---

Indicators of Compromise (IOC)

Type	Value	Campaign
Credential-dump path (newer SSH)	/usr/share/man9/ph/.ph.man	Operation Highland
Credential-dump path (older SSH)	/usr/lib/eth-scsi/libethscsi.so	Operation Highland
Keylog path (older variant)	/var/lib/sam/sam_{timestamp}	Operation Highland
PAM harvest file	/usr/sbin/.ssh.log	Operation Highland
PAM backdoor password	Pamauth@123456	Operation Highland
Unusual PAM RPATHs	/home/kevin/Desktop/Linux-PAM-*, /c/src/Linux-PAM-*	Operation Highland
Masqueraded process names	[khubd] (GS-Netcat), smbd -D (SOCKS5), [kauditd] -sh (scp)	Operation Highland
GS-Netcat binary	auditdb in /usr/sbin/	Operation Highland
C2 IPs	202.61.136[.]158, 103.138.13[.]31	Velvet Ant 2024 (F5/PlugX)
Tools	VELVETSTING, VELVETTAP, SAMRID (EarthWorm), ESRDE	Velvet Ant 2024 (F5)
Related CVE	CVE-2024-20399 (Cisco NX-OS)	Velvet Ant 2024 (Cisco)

Source note: The two C2 IPs and the VELVET* tools belong to the 2024 Velvet Ant reporting (F5/Cisco), not directly to Operation Highland — included here for behavioral correlation. Full auth-layer IOCs (PAM/SSH file hashes) should be taken from the official Sygnia IoC list published with the Operation Highland post.

---

Recommendations

• Remove persistence BEFORE rotating credentials. Reset passwords while pam_unix.so/sshd remain backdoored and the new ones get harvested immediately.

• Deploy FIM on the authentication layer (PAM, /etc/pam.d/, OpenSSH binaries, sshd_config, authorized_keys) and forward alerts to the SIEM; apply the same principle to LSASS on Windows.

• Hunt rather than wait for alerts: compare binaries against known-good, and check the artifact paths and unusual RPATHs above across the critical Linux fleet.

• Prepare safe recovery: golden recovery hosts with validated OS builds and known-good binaries, plus rollback/emergency-access plans — one wrong replacement can lock you out of your own systems.

---

References

1. The Hacker News — China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade (2026-06-12)

2. Sygnia — Velvet Ant's Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected (2026-06-08)

3. Sygnia — China-Nexus Threat Group 'Velvet Ant' Abuses F5 Load Balancers for Persistence (2024-06-03)