# Velvet Ant "Operation Highland": China-Nexus APT Backdoors the Linux Authentication Layer, Hiding for Nearly a Decade

## Executive Summary

Velvet Ant — a China-nexus APT tracked by Sygnia — modified the very components that decide "who is allowed to sign in" on Linux systems: the PAM library (`pam_unix.so`) and OpenSSH binaries (`ssh`, `sshd`, `scp`). By replacing trusted login programs with backdoored versions, the attacker could both **bypass authentication** using a hardcoded password and **harvest the credentials** of legitimate users as they logged in, while logging every command typed.

The targeted network was critical infrastructure with **no direct internet connectivity**. The earliest forensic traces reach back to **2016** — nearly a decade of undetected presence. Because the malware lives inside the credential-checking mechanism itself, ordinary containment such as password resets or killing sessions is largely **ineffective**: new credentials are stolen the same way through the same modified `pam_unix.so` / `sshd` path.

**The single most important action right now:** on critical Linux hosts, compare `pam_unix.so` and the OpenSSH binaries against known-good copies (verify hashes/package signatures), and **remove the backdoor BEFORE** rotating any credentials — rotate first and the new passwords get harvested immediately.

* * *

## Who is Velvet Ant

Velvet Ant is not a single campaign. Across multiple investigations, Sygnia has documented a consistent pattern: **each time a foothold is discovered and remediated, the group pivots to less-monitored infrastructure and rebuilds persistence from a new vantage point.**

*   **2023 — PlugX/ShadowPad:** in an intrusion lasting ~3 years, the group used the PlugX RAT (DLL side-loading via `iviewers.exe`); when evicted, it reconfigured PlugX to use an **internal file server as C2**, blending traffic with legitimate internal flows.
    
*   **F5 BIG-IP as internal C2:** abused a legacy, internet-exposed F5 appliance running an outdated OS as a beachhead — deploying VELVETSTING (hourly C2 beacon over port 8443), VELVETTAP (packet capture), and SAMRID (EarthWorm SOCKS proxy).
    
*   **2024 — CVE-2024-20399 (Cisco NX-OS):** exploited the flaw to plant a backdoor (VELVETSHELL) directly on Cisco Nexus switches.
    
*   **Now — Operation Highland:** the same idea, one level deeper — controlling the **authentication mechanism** every service relies on.
    

* * *

## Kill chain (three stages)

The defining trait of Operation Highland: the target network had **no direct internet path**. Unable to break in directly, the attacker **engineered a multi-stage access chain** — establishing a foothold on internet-facing systems, then traversing the IT network to reach the segregated critical-infrastructure segment.

* * *

## Technical analysis

### 1\. Backdoored `pam_unix.so` — bypass and credential harvesting

PAM sits below the application layer: a backdoored PAM module affects **every service** that relies on it, transparently and without generating anomalous log entries. Sygnia found **nine modified** `pam_unix.so` **files**, each compiled in a separate build environment (distinct RPATHs) — indicative of a structured, per-target build pipeline. The targeted function is `pam_sm_authenticate`, with two primary variants:

*   **Bypass only:** accepts a hardcoded backdoor password; after bypass, the password string in memory is **overwritten with NULLs** to evade detection.
    
*   **Bypass + harvest:** accepts the backdoor password `Pamauth@123456` (stored encrypted in the binary); if a user's password does not match, it records both **username and password** to a hidden file at `/usr/sbin/.ssh.log`.
    

### 2\. Modified OpenSSH — credential theft, keylogging, and anti-forensics

The OpenSSH suite (`ssh`, `sshd`, `scp`) was replaced with malicious builds carrying these capabilities:

*   **Credential dumping:** writes encrypted credentials (both directions) to `/usr/share/man9/ph/.ph.man`, tagged with connection direction (O/I), auth type (B/C/X…), and success status (Y/N).
    
*   **Keylogging:** logs every shell command, with filenames derived from the MD5 of the user + TTY.
    
*   `-d` **flag to disable its own logging:** lets the attacker operate through the backdoored binary **without leaving evidence** of their own activity — a hallmark of high OpSec.
    
*   **Timestomping:** all files/directories under `/usr/share/man9/ph/` are restamped to match `/etc/shells`.
    
*   **SELinux disabling:** the malicious `scp` can disable SELinux when run as root.
    
*   **Process hiding (**`!` **flag):** disguises the process name as `[kauditd] -sh` to blend in with the legitimate audit daemon. An older variant wrote credentials to `/usr/lib/eth-scsi/libethscsi.so` and keylogs to `/var/lib/sam/` (format `sam_{timestamp}`) — these older logs allowed Sygnia to trace the earliest activity back to **2016**.
    

### 3\. authorized\_keys

Alongside the PAM/OpenSSH modifications, the group appended its own public keys to `authorized_keys` on compromised servers — a third, simpler but durable persistence layer operating independently of the backdoored binaries.

* * *

## OpSec and why eradication is so hard

This was not a standard persistence cleanup. When the attacker controls authentication itself, you **cannot "delete first, validate later"**: their persistence lives in the same components (`pam_unix.so`, `ssh`/`sshd`/`scp`, `authorized_keys`) that administrators rely on to access and manage production systems. A wrong package, an incompatible binary, or a missing dependency can **completely lock admins out of a host** — turning remediation into a production outage. Eradication therefore had to be engineered carefully: lab testing first, per-host profiling, prepared rollback options, and SSH/auth health validation immediately after each step.

* * *

## Detection & Hunting

Operation Highland is a case study in why signature-based detection and alert-driven operations fall short against a patient APT: there is no novel exploit to catch and no malicious binary dropping into a monitored directory. Detection depends on **proactive, hypothesis-driven threat hunting** — asking questions the SIEM was never configured to answer.

*   **File Integrity Monitoring (FIM)** on TTP-relevant paths: `pam_unix.so`, `/etc/pam.d/`, OpenSSH binaries (`ssh`, `sshd`, `scp`, `sftp`, `ssh-keygen`), `sshd_config`, privileged `authorized_keys`, systemd unit files / SysVinit scripts, `/etc/sudoers`.
    
*   **Compare binaries against known-good** (hashes/package signatures) rather than waiting for an alert — nothing will flag them for you.
    
*   **Hunt auth-layer artifacts:** paths `/usr/share/man9/ph/`, hidden file `/usr/sbin/.ssh.log`, `/usr/lib/eth-scsi/`, `/var/lib/sam/`; unusual RPATHs in PAM (`/home/kevin/Desktop/Linux-PAM-*`, `/c/src/Linux-PAM-*`).
    
*   **Windows equivalent:** apply the same principle to LSASS/LSA on Domain Controllers (monitor LSASS access, unexpected module loads, Skeleton Key-style changes to Authentication Packages).
    

* * *

## MITRE ATT&CK (from Sygnia's Velvet Ant advisories)

| Tactic | Technique |
| --- | --- |
| Initial Access | T1133 – External Remote Services |
| Execution | T1047 – WMI; T1059.008 – Network Device CLI |
| Persistence | T1037.004 – RC Scripts; T1556 – Modify Authentication Process (PAM/SSH); T1098.004 – SSH Authorized Keys |
| Defense Evasion | T1070.006 – Timestomp; T1036.005 – Masquerading; T1562.004 – Disable System Firewall; T1564 – Hide Artifacts |
| Credential Access | T1003 – OS Credential Dumping; T1056.001 – Keylogging |
| Lateral Movement | T1021.004 – SSH; T1021.002 – SMB; T1570 – Lateral Tool Transfer |
| Command & Control | T1572 – Protocol Tunneling; T1090.001 – Internal Proxy |

> Note: T1556 / T1098.004 / T1056.001 map to Operation Highland (auth layer); the remaining techniques are aggregated from the 2024 Velvet Ant advisory.

* * *

## Indicators of Compromise (IOC)

| Type | Value | Campaign |
| --- | --- | --- |
| Credential-dump path (newer SSH) | `/usr/share/man9/ph/.ph.man` | Operation Highland |
| Credential-dump path (older SSH) | `/usr/lib/eth-scsi/libethscsi.so` | Operation Highland |
| Keylog path (older variant) | `/var/lib/sam/sam_{timestamp}` | Operation Highland |
| PAM harvest file | `/usr/sbin/.ssh.log` | Operation Highland |
| PAM backdoor password | `Pamauth@123456` | Operation Highland |
| Unusual PAM RPATHs | `/home/kevin/Desktop/Linux-PAM-*`, `/c/src/Linux-PAM-*` | Operation Highland |
| Masqueraded process names | `[khubd]` (GS-Netcat), `smbd -D` (SOCKS5), `[kauditd] -sh` (scp) | Operation Highland |
| GS-Netcat binary | `auditdb` in `/usr/sbin/` | Operation Highland |
| C2 IPs | `202.61.136[.]158`, `103.138.13[.]31` | Velvet Ant 2024 (F5/PlugX) |
| Tools | VELVETSTING, VELVETTAP, SAMRID (EarthWorm), ESRDE | Velvet Ant 2024 (F5) |
| Related CVE | CVE-2024-20399 (Cisco NX-OS) | Velvet Ant 2024 (Cisco) |

> **Source note:** The two C2 IPs and the VELVET\* tools belong to the 2024 Velvet Ant reporting (F5/Cisco), **not** directly to Operation Highland — included here for behavioral correlation. Full auth-layer IOCs (PAM/SSH file hashes) should be taken from the official Sygnia IoC list published with the Operation Highland post.

* * *

## Recommendations

*   **Remove persistence BEFORE rotating credentials.** Reset passwords while `pam_unix.so`/`sshd` remain backdoored and the new ones get harvested immediately.
    
*   **Deploy FIM on the authentication layer** (PAM, `/etc/pam.d/`, OpenSSH binaries, `sshd_config`, `authorized_keys`) and forward alerts to the SIEM; apply the same principle to LSASS on Windows.
    
*   **Hunt rather than wait for alerts:** compare binaries against known-good, and check the artifact paths and unusual RPATHs above across the critical Linux fleet.
    
*   **Prepare safe recovery:** golden recovery hosts with validated OS builds and known-good binaries, plus rollback/emergency-access plans — one wrong replacement can lock you out of your own systems.
    

* * *

## References

1.  The Hacker News — [China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade](https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html) (2026-06-12)
    
2.  Sygnia — [Velvet Ant's Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected](https://www.sygnia.co/blog/operation-highland-velvet-ant/) (2026-06-08)
    
3.  Sygnia — [China-Nexus Threat Group 'Velvet Ant' Abuses F5 Load Balancers for Persistence](https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/) (2024-06-03)