CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

A sophisticated China-linked threat actor known as Velvet Ant has been running a long-term cyber intrusion inside a major organization’s internal network, going undetected for nearly a decade. The campaign, now called Operation Highland, revealed a level of patience and technical depth rarely seen in publicly documented intrusions. What made this attack particularly alarming was […] The post China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass appeared fi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass By Tushar Subhra Dutta June 15, 2026 A sophisticated China-linked threat actor known as Velvet Ant has been running a long-term cyber intrusion inside a major organization’s internal network, going undetected for nearly a decade. The campaign, now called Operation Highland, revealed a level of patience and technical depth rarely seen in publicly documented intrusions. What made this attack particularly alarming was not just how far the attackers got, but how long they stayed hidden inside a network with no direct internet connection. Velvet Ant did not breach this environment through a simple phishing email or brute-force attack. Instead, the group engineered a deliberate, multi-stage access chain that moved from internet-facing systems into a tightly isolated critical infrastructure network. The attackers used publicly available tools as cover and modified them to blend in with normal activity, making detection nearly impossible using conventional security tools. Analysts at Sygnia said in a report shared with Cyber Security News (CSN) that when their IR team began reconstructing the intrusion, the earliest forensic artifacts traced back to 2017, revealing nearly a full decade of undetected presence inside the internal network. The investigation, named Operation Highland, exposed how Velvet Ant moved from internet-facing systems through the IT network to reach the most sensitive infrastructure segments. Snippet from IDA showing the usage of GS-Netcat (Source – Sygnia) Sygnia’s findings showed a consistent pattern: when detected, the group pivots to less-monitored infrastructure and rebuilds persistence from a new position. The target network had no direct internet connectivity, which meant the attacker had to engineer a deliberate multi-stage chain to reach it. Velvet Ant staged through internet-facing systems and traversed the IT network to reach the critical infrastructure segment. What made this operation distinct was how the attackers anchored their persistence not in a standard backdoor, but inside the authentication layer itself. China-Nexus Hackers Use Backdoored PAM Modules Once Velvet Ant pivoted into the segregated environment, they targeted the Pluggable Authentication Module (PAM) layer, a core Linux component that handles how every service authenticates users. During the investigation, nine files of a backdoored pam_unix.so were identified across compromised hosts. The attackers replaced the legitimate PAM module with maliciously modified versions. Execution of ‘auditdb’ tool (Source – Sygnia) The targeted function, pam_sm_authenticate, normally retrieves a username and password and returns success or failure. In the modified versions, this function was patched to either accept a hardcoded backdoor password, harvest credentials from legitimate authentication attempts, or both. When the backdoor password was entered, normal verification was bypassed entirely. The malicious library also overwrote the backdoor password string in memory with NULL values after bypass, making forensic recovery harder. A custom flag was embedded to disable the attacker’s own credential and session logging, allowing the group to operate without leaving any recorded evidence of their activity. Modified OpenSSH Binaries and Lateral Movement Alongside the PAM manipulation, Velvet Ant deployed a modified version of GS-Netcat on internet-facing servers to establish a reverse shell to a remote C2 server. The binary was named auditd and placed in /usr/sbin/ to blend in with legitimate system utilities. To evade detection, the binary overwrote its own process name with [kauditd], masquerading as a legitimate kernel thread in process listings. To maintain persistence, the threat actor used different methods based on the server’s operating system. On newer servers running systemd, a malicious unit file was placed in /lib/systemd/system/, disguised as a Chrome service. Decrypted credential dump (Source – Sygnia) On older SysVinit servers, a malicious execution line was appended to startup scripts in /etc/init.d/. Velvet Ant also appended their own public keys to authorized_keys files on compromised servers, enabling persistent password-less access. Sygnia recommended that organizations treat PAM, OpenSSH, LSASS, and privileged access paths as critical security controls. Deploying an EDR on all supported systems is essential for endpoint visibility and detection coverage. Organizations should enable high-confidence alerts for authentication or system file modifications and harden privileged access paths. Credentials should be rotated only after persistence is fully removed, and any remediation touching authentication components must include rollback options and emergency access plans to avoid locking administrators out of production systems. Indicators of Compromise (IoCs):- Type Indicator Description File Name pam_unix.so Backdoored PAM module used to bypass authentication and harvest credentials File Name auditd Malicious GS-Netcat binary placed in /usr/sbin/ to masquerade as a legitimate audit daemon File Path /usr/sbin/auditd Deployment path of the malicious reverse shell binary File Path /lib/systemd/system/ Location of malicious systemd unit file disguised as a Chrome service File Path /etc/init.d/ SysVinit startup script path appended with malicious execution line File Path /usr/share/man9/ph.man Storage path for encrypted credential dump files File Path /var/lib/eth-scs/libeth.so RPATH entry found in backdoored pam_unix.so variants File Path /etc/rc/Linux-PAM-[PAM version]/libpam.libs:lib64 RPATH format found in backdoored pam_unix.so variants Process Name [kauditd] Disguised process name used by malicious auditd binary to mimic a kernel thread Tool GS-Netcat (modified) Modified version of the public GS-Netcat tool used as an encrypted reverse shell Tool SOCKS5 Perl proxy script Custom Perl-based SOCKS5 proxy used for lateral movement and traffic tunneling Credential File /usr/share/man@/ph.ph.man Encrypted file used to store harvested SSH and local login credentials Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server Latest News Cyber Security News PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini Cyber Security News Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT Cyber Security News Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Cyber Security News Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence Cyber Security SecSuite – AI-powered Tool for OSINT, Web and API Security Testing
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗