Chinese APT Backdoors Linux PAM Login Software for Nearly a Decade
One backdoored authentication module, one isolated network, ten years of undetected access — a reminder that critical authentication primitives are a forever-target.
Key Takeaways
|
A single backdoored authentication module turned ten years of access into one of the longest-running undetected espionage campaigns to surface in 2026.
TEL AVIV — A China-aligned APT group spent nearly a decade undetected inside a target organization after backdooring Linux Pluggable Authentication Module (PAM) software to hijack the authentication flow, researchers at the incident-response firm Sygnia disclosed in mid-June 2026, per The Hacker News and BleepingComputer. Sygnia attributes the activity to a group it tracks as Velvet Ant and dubs the intrusion Operation Highland. The campaign is one of the longest-running undetected espionage operations to come to light this year, and it shows how persistent attackers can leverage a single critical authentication primitive to maintain access across years and operating-system upgrades.
The technique struck at the heart of how Linux verifies who is allowed in. PAM is the modular framework that Linux systems use to handle authentication, and Velvet Ant replaced legitimate pam_unix.so modules with backdoored versions that accepted hardcoded passwords and harvested the credentials of users logging in. Per Sygnia, the group used nine distinct variants of the malicious module, each compiled in a separate build environment — a level of effort that points to a well-resourced, deliberate actor rather than an opportunist.
| Campaign Overview | |
|---|---|
| Field | Details |
| Attribution | Velvet Ant — China-aligned espionage group (per Sygnia) |
| Operation | Operation Highland |
| Technique | Backdoored Linux PAM (Pluggable Authentication Module); replaced pam_unix.so to hijack the login flow |
| Capability | Accepts hardcoded passwords; harvests user credentials |
| Tooling depth | Nine distinct backdoored PAM variants, each compiled in a separate build environment |
| Duration | Nearly a decade; campaign began around 2016 |
| Target environment | Pivoted from internet-facing systems to an isolated network with no direct internet path |
| Bridge | Used an internet-facing web server to pass commands into the isolated segment |
How the PAM Backdoor Worked
Per Sygnia, the operation centered on subverting authentication itself. On Linux, PAM is the pluggable layer that programs call to decide whether a login attempt succeeds, and pam_unix.so is the standard module that checks local passwords. By swapping that module for a backdoored build, Velvet Ant gave itself two durable advantages at once: a hardcoded password that would authenticate the attacker on demand regardless of the legitimate credentials, and a harvesting capability that captured the credentials of every user who logged in normally. Because the backdoor lived in the authentication stack rather than in a separate implant, it had full visibility into administrative activity and survived as a trusted part of the system.
The use of nine distinct variants, each compiled in its own build environment, is the detail that signals sophistication. Maintaining multiple builds across a long campaign suggests deliberate operational hygiene — tailoring modules to specific hosts and avoiding a single reusable artifact that defenders could fingerprint once and sweep everywhere. That is the tradecraft of a patient, well-resourced espionage actor optimizing for longevity over reach.
Why an Isolated Network Was the Target
The campaign's architecture is as instructive as its tooling. Per the reporting, Operation Highland began around 2016 against internet-facing systems, then pivoted into a network segment that had no direct internet connection. To operate inside that isolated environment, the attackers used an internet-facing web server as a bridge, passing commands through it to open remote sessions deep in the segment. The lesson is that “isolated” is a posture that depends on every bridge being accounted for: a single dual-homed system — here, a web server reachable from both the internet and the protected segment — collapses the air gap. The CyberSignal has documented the same patience and bridging logic across China-nexus espionage, from the Showboat backdoor resident inside Middle East and Central Asia telcos since 2022 to the Webworm APT's move onto Discord and OneDrive to reach European governments.
Nearly a Decade Undetected — What That Says About Long-Tail Espionage
A ten-year dwell time is the headline, and it reframes how defenders should think about persistence. Authentication is an ideal place to hide because it is both essential and rarely inspected at the binary level: administrators trust that pam_unix.so is the module the distribution shipped, and few environments verify the integrity of their PAM stack on an ongoing basis. An actor that subverts authentication inherits a foothold that survives reboots, user changes and, often, OS upgrades, while generating little of the anomalous activity that endpoint tooling is tuned to catch. This is the durable, low-noise espionage profile The CyberSignal has tracked across China-nexus operations such as the Operation Dragon Weave campaign against the Czech Republic and Taiwan — access optimized to outlast the defender's attention rather than to act quickly.
Defensive Guidance for PAM-Dependent Environments
For Linux-dependent organizations, Operation Highland is a prompt to treat the authentication stack as a monitored asset. Establish file-integrity monitoring over PAM modules — pam_unix.so and the wider /lib/security or equivalent paths — and alert on unexpected changes, since a swapped module is the core indicator here. Compare deployed PAM binaries against known-good distribution hashes, watch for authentication that succeeds without a corresponding valid credential, and audit dual-homed systems that touch both an isolated segment and a less-trusted network, because those bridges are how air gaps fail. Ingest Sygnia's indicators once available and retro-hunt across historical logs, and pair the hunt with an incident-response plan that assumes a long-dwell foothold may already be resident — including a willingness to rebuild rather than merely clean systems whose trust has been undermined at the authentication layer.
Open Questions and Attribution Gaps
Several specifics remain to be confirmed against Sygnia's published research: the identity, sector and country of the victim organization; the full set of Linux distributions and PAM versions affected; the detection chain that finally surfaced the backdoor after years; and the availability of public indicators or signatures. Sygnia's attribution to the China-aligned Velvet Ant group is the firm's assessment; The CyberSignal reports it as such rather than as an independent finding. The decade-long timeline and the nine-variant detail are Sygnia's findings, and the broader takeaway holds regardless of attribution: authentication primitives are a forever-target, and the organizations that monitor them are the ones most likely to find an intruder who has learned to live there quietly.
