For nearly a decade, a China-nexus group called Velvet Ant didn’t hide malware on endpoints, didn’t drop new binaries scanners might catch, and didn’t burn a zero-day. They did something quieter and harder to clean up: they rewrote the program that decides whether you’re allowed to log in at all.
The Login Layer Is the Attack Surface Nobody Audits
Sygnia, which tracks the group as Velvet Ant, reports that the actor backdoored PAM and OpenSSH components on Linux systems inside a network with no direct internet access. Researchers found nine separate versions of the modified PAM module, with the earliest traces dating to 2016. Some versions let the attacker in with a secret password; others quietly logged real usernames and passwords as legitimate users signed in.
This matters because PAM is the universal authentication broker for Linux. If you control it, every login decision — SSH, sudo, su, cron — flows through your code first. The attacker didn’t need new tooling, didn’t need to escalate twice, and didn’t need to maintain a noisy command channel. The operating system itself authenticated them.
If you’re a team running a fleet of Linux servers with endpoint detection focused on new files, known signatures, and suspicious network beacons, an Operation Highland-style intrusion would slip past every layer. The malicious code lives inside binaries your asset inventory marks as “core OS.”
The prediction: integrity monitoring for PAM and OpenSSH binaries will graduate from optional hardening guide to standard SOC checklist item before the end of the year.
Why Standard Incident Response Playbooks Break Here
Sygnia’s report makes the cleanup problem explicit. The modified OpenSSH binaries logged every command typed, with a hidden switch to silence that logging on demand. Password resets and killed sessions — the reflexive first steps in any breach playbook — do nothing useful when the thing checking those credentials is working for the attacker.
This breaks an assumption baked into nearly every IR runbook: that the authentication layer is trustworthy enough to anchor recovery. It isn’t, not in this scenario. Reset every password tomorrow and the modified PAM module captures the new ones the moment users sign in. Rotate SSH keys, and the modified sshd logs the new private key fingerprints alongside the commands operators run to deploy them.
For a regulated environment — picture a hospital running healthcare software with strict access controls — this is the worst-case integrity failure. Audit logs of “who accessed what” become unreliable, because the auth layer producing those logs is the compromised component.
The editorial call: IR playbooks need a new step zero in 2026 — verify the integrity of the authentication stack against a known-good baseline before touching a single credential.
Operation Highland Is the Logical End of Living Off Trusted Infrastructure
Velvet Ant has been moving down the trust stack for years. Sygnia documented the same actor in 2024 turning internet-exposed F5 BIG-IP appliances into internal command servers, and later that year exploiting CVE-2024-20399 to plant a backdoor on Cisco NX-OS switches. Cisco patched that bug in July 2024, and CISA flagged it as exploited the following day. CVE-2024-20399 needed admin access first, so it was persistence tooling, not a remote break-in.
The pattern is consistent. Each time defenders find one foothold, the group pivots to gear that’s watched less and trusted more. Load balancers. Switches. And now, the login binaries themselves. Infrastructure that’s “internal,” “trusted,” or “appliance-managed” is exactly what a patient actor targets, because that’s where integrity checks are weakest and replacement is most dangerous.
For teams managing complex environments — say, a logistics operator running end-to-end supply chain software across distributed warehouses — the real question is: when was the last time anyone verified the binaries on the load balancer between the DMZ and the internal apps? Most teams have never done it once.
The prediction: “supply chain attack” will broaden through 2026 to routinely include the trusted binaries already running on your boxes, not just the upstream packages you install.
How To Hunt for Operation Highland-Style Activity
Sygnia’s defensive guidance is unusually direct. Monitor PAM and OpenSSH files for any change, and alert when they change. Hunt by checking what changed, not by waiting for an alert — compare these programs against known-good copies, because nothing else will flag them. And critically, remove the backdoor before resetting passwords, or the new credentials get stolen the same way. Test replacements in a lab first; the wrong substitution can lock administrators out of a live system.
For the earlier campaigns, the checks differ: patch CVE-2024-20399 on Cisco Nexus gear, and watch F5 appliances for unexpected outbound connections. Teams building custom platforms face the same exposure: custom API and integration layers often pass through these same trusted components — the SSH bastion, the load balancer — that defenders rarely re-baseline after deployment.
FAQ
Q: What is PAM in Linux and why is backdooring it so serious? A: PAM (Pluggable Authentication Modules) is the framework Linux uses to verify users across SSH, sudo, su, cron, and login. It sits between every authentication program and the actual credential store. Backdooring PAM means every login decision on the system runs through attacker-controlled code, regardless of which front-door tool is used.
Q: Why didn’t endpoint detection catch this earlier? A: The attacker didn’t drop new files or run known malware. They modified existing trusted binaries, so signature-based scanners found nothing unusual. Without file-integrity monitoring against a known-good baseline, the modified PAM and OpenSSH binaries looked identical to legitimate system components.
Q: Was a CVE involved in the Linux compromise? A: No. According to Sygnia, the Linux side of Operation Highland is not a one-CVE problem. The attacker modified trusted programs after gaining initial access, so the remediation is integrity verification, not patching.
Key Takeaways
- Teams without integrity baselines for PAM and OpenSSH binaries have no detection path for this class of threat, regardless of how much they spend on endpoint tooling.
- Incident response runbooks need to assume the authentication layer itself can be compromised before any credential rotation begins.
- Infrastructure labeled “internal” or “appliance-managed” is exactly where patient actors hide; load balancers, switches, and login subsystems all need scheduled integrity verification.
- Expect at least one major Linux distribution or security vendor to ship signed-binary attestation specifically for PAM and sshd within the next 12 months.
- Network segmentation alone is no defense when the attacker can bridge through an internet-facing web server into an isolated network, as Sygnia documented in this case.