A China-linked threat group planted a Linux PAM backdoor inside a corporate network and stayed hidden for close to ten years. The technical details are striking. The lesson for organisations matters more: most security tools find vulnerabilities, but none of them can catch an attacker who simply replaces a trusted file with a poisoned copy.
Table of Contents
What Happened
Security firm Sygnia investigated an intrusion it named Operation Highland. It found that Velvet Ant, a China-nexus group, had replaced the primary PAM login module on multiple Linux hosts. Some modified versions accepted a hardcoded secret password alongside real ones. Others quietly captured every credential typed by legitimate users. Sygnia recovered nine separate variants, each built in a different compile environment. The earliest traces go back to 2016.
OpenSSH binaries were changed too. The modified files logged every command typed after login. A hidden switch inside the code could turn that logging off when needed. Parts of the network had no direct internet access, but Velvet Ant bridged into those segments via a compromised web server acting as a relay.
The Flaw Is Not in the Software
No CVE covers this attack. Velvet Ant did not find a software bug. It replaced fully-patched files with its own versions. Every patch report on that network would have shown software up to date. The attack was invisible to the tools most organisations use to measure their security posture.
Most security programmes rest on a central idea: find the gaps in your software and close them. That model is useful, but it is incomplete. It answers whether software was correctly installed. It does not tell you whether the files on disk today are still the originals.
Password resets do not help here either. If the login module records each new password as it is typed, the attacker gets it the moment the user sets it. Standard incident response assumes that security tools can be trusted. In this case, they could not be.
Linux PAM Backdoor as a Mirror for Security Assumptions
The Linux PAM backdoor technique works because defenders learn to ask one question: is this system patched? Few ask the second one: is what is running on this system actually what I think it is? Those are different questions. Patching answers the first. File-integrity checking answers the second.
The first question is answered by a vulnerability scanner. The second requires comparing files on disk against a clean baseline. Tools like Tripwire and AIDE do exactly that. So do the package verification commands built into most Linux distributions. Yet most organisations do not run them on their login stack, or they run them without anyone acting on the alerts.
The detection gap Velvet Ant found has been open for a decade. It is not exotic. It needs no zero-day and no state-level funding. Once this method is better documented, less sophisticated attackers will pick it up.
The PAM Layer Is Not Unique
PAM is a valuable target because controlling login means controlling everything downstream. But the same logic applies to other low-level software. Boot files, kernel modules, and the agents installed by security products are all attractive targets. Swap any one of them out, and defenders end up working from a false picture of their own systems.
The security industry talks often about supply-chain attacks, where poisoned software reaches customers through a trusted channel. Velvet Ant’s approach is a post-delivery version: software arrived legitimately, then the attacker replaced it on the target’s own machines. The integrity check that catches a supply-chain compromise at install time would also catch this. Most environments do not have that check in place.
What a Realistic Response Looks Like
A Linux PAM backdoor works by swapping out the files that handle login. File-integrity monitoring on those binaries would detect the swap. Alerts should go to a log store the attacker cannot modify. Periodic checks against distribution package checksums surface any tampering. Neither step requires a large budget or specialist staff.
The harder problem is metrics. A patch compliance report was showing green throughout ten years of active compromise. A metric that also covers integrity of login-critical files would have told a different story far sooner. That change costs very little to make.
The UK’s National Cyber Security Centre sets out three foundational controls: know what you have, know what it should look like, and detect when that changes. Velvet Ant’s decade inside one network shows what happens when the third control is absent. The tools to detect a Linux PAM backdoor and similar file replacements already exist. The question is whether organisations will use them before this technique spreads further.
