The threat actor Velvet Ant maintained persistent, undetected access for nearly a decade by compromising core Linux authentication components, specifically the Pluggable Authentication Modules (PAM) and OpenSSH. This allowed them to bypass authentication or capture legitimate credentials directly, rendering traditional password resets and session terminations ineffective. The article emphasizes the critical need for integrity verification of trusted system components and proactive threat hunting over reliance on reactive security alerts.
Identity China-nexus group hid in Linux login system for nearly a decade June 12, 2026 Share By SC Staff (Adobe Stock) As detailed in The Hacker News, a sophisticated China-nexus threat group, tracked as Velvet Ant by Sygnia, has been discovered to have operated undetected on an organization's network for approximately 10 years by compromising the core Linux login system itself. Instead of relying on conventional malware, the group stealthily modified trusted components like PAM and OpenSSH, allowing them to maintain persistent access and exfiltrate credentials without triggering standard security alerts. The group's operation, dubbed Operation Highland, involved backdooring the Pluggable Authentication Modules (PAM) and OpenSSH components, which are fundamental to user authentication on Linux systems. This allowed them to either bypass authentication with a secret password or silently capture legitimate user credentials. The targeted network was air-gapped, necessitating the use of internet-facing systems as a bridge to reach the isolated environment. Researchers identified nine distinct versions of the backdoored software, indicating a long-term and evolving campaign. The compromised login system rendered traditional containment measures ineffective, as password resets and session terminations did not address the root cause of the compromise. This tactic aligns with Velvet Ant's known modus operandi, which includes exploiting trusted infrastructure like F5 BIG-IP appliances and Cisco NX-OS devices in previous attacks. The implications for cybersecurity are significant, highlighting the need for integrity checks on critical infrastructure components, including the login layer, and emphasizing proactive threat hunting over reactive alerting. Source: The Hacker News SC Staff Related Privacy U.S. seizes domains used to publish nonconsensual AI-generated nude images SC Staff June 12, 2026 The domains specialized in creating explicit content, often targeting famous women, including politicians, royalty, and entertainers. Identity Chinese APTs have made identity part of the intrusion path Hüseyin Can Yüceel June 10, 2026 Don’t merely identify the attacker – understand how they behave. Identity Apple Intelligence to automatically fix weak passwords with iOS 27 SC Staff June 9, 2026 Apple states that its built-in password manager and Safari will now use AI to "agentically" act on user behavior to automatically secure passwords. Related Events Cybercast IAM for MSSPs: Real-World Deployments On-Demand Event Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Basic Authentication Biometrics Certificate-Based Authentication Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) You can skip this ad in 5 seconds