Bottom Line: A China-linked hacker group operated undetected for nearly a decade through backdoors in Linux authentication components where standardized security tools do not look.
A hacker group attributed to the Chinese environment operated undetected for approximately nine years within the Linux authentication components PAM and OpenSSH. Sygnia designates the group as Velvet Ant and documents how attackers placed access at critical points in the login system that are normally not reached through security remediation measures.
The attackers modified PAM (Pluggable Authentication Modules) and OpenSSH – the central components that govern authentication and access control under Linux. This placement enabled the Velvet Ant collective to bypass login mechanisms and maintain persistent access without manifesting themselves in application-level or filesystem artifacts that typical forensic investigations would capture.
This strategy illustrates an operational shift: rather than establishing a foothold on user endpoints or standard server surfaces – targets that security teams monitor with heightened attention – the attackers relocated their infrastructure to the authentication system itself. A network affected by this campaign initially lacked specialized monitoring for this layer.
For CISOs and IR teams, this insight is critical: it underscores the need to monitor base authentication components such as PAM and OpenSSH not only for patch status but also for integrity changes. The nine-year operational tenure shows that a pure endpoint focus remains blind to system-level intrusions. Regular cryptographic hash verification of these components, enhanced log aggregation on authentication events, and background process monitoring become necessary.
Source: thehackernews.com · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.