China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

A China-linked hacking group called Velvet Ant backdoored fundamental Linux authentication components for nearly a decade, security researchers revealed. The group compromised PAM (Pluggable Authentication Modules) and OpenSSH, the core systems that control user login access on Linux systems.

By embedding malicious code into these low-level authentication mechanisms, Velvet Ant gained persistent access that survived standard security cleanup procedures. Most defenders focus monitoring and incident response on applications and user-facing software. This group instead targeted the operating system layer itself, where fewer organizations conduct deep forensic analysis.

Sygnia researchers discovered the backdoor during an investigation of a compromised network. The attackers positioned their access at a layer where standard patching and system hardening often miss malicious modifications. PAM provides authentication services across virtually all Linux distributions, while OpenSSH remains the standard remote access protocol for Unix-like systems.

The discovery underscores a critical vulnerability in Linux security posture. Organizations typically patch and monitor their applications but often trust the underlying operating system components as secure by default. Attackers exploiting this assumption can hide in plain sight within the authentication layer itself.

The long operational window, approaching a decade, demonstrates how effective this strategy proved. The group maintained access through system updates and standard remediation efforts by compromising components so fundamental that administrators rarely suspect them as compromise vectors. Velvet Ant operators could intercept login credentials, create hidden user accounts, and maintain access independent of application-level compromises.

This technique carries severe implications for enterprise security. Compromised authentication systems mean attackers can potentially access any account on affected systems. Detection becomes nearly impossible using standard endpoint detection and response tools. Organizations must now consider that their Linux systems' very foundation could be weaponized against them.

Defenders should conduct deep forensic analysis of PAM and OpenSSH binaries across their Linux infrastructure, particularly