In a nutshell: A China-linked hacker group infiltrated fundamental Linux authentication systems PAM and OpenSSH over many years, evading conventional detection methods.
A China-linked hacker group, dubbed Velvet Ant by Sygnia, has compromised core Linux authentication components over approximately a decade. The attackers manipulated PAM and OpenSSH components to maintain persistent presence in a network without being discovered through routine system cleanup procedures.
Sygnia, a security company specializing in threat intelligence, documents the activities of an attacker known as Velvet Ant, which is located in close proximity to China’s cyber threat landscape. The group has established itself at a critical level of infrastructure: within the login mechanisms themselves.
The backdoors were embedded in PAM (Pluggable Authentication Modules) and OpenSSH – both components that control core authentication functions on virtually every Linux system. Since these systems are treated by operating systems and administrators as a trust foundation, they typically evaded the monitoring and cleanup that normally takes place at user level or in application layers.
The choice of this attack vector demonstrates an understanding of enterprise infrastructure architecture: defenders often concentrate their attention on workstations, servers and applications, while kernel-adjacent or system-privileged components are less frequently viewed with the same scrutiny. Access at this level enables the attacker to authenticate with virtually any login and thus override any form of login attempts regardless of permissions.
Source: thehackernews.com · Published 12 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.