China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
Cybersecurity NewsArchived Jun 15, 2026✓ Full text saved
A sophisticated China-linked threat actor known as Velvet Ant has been running a long-term cyber intrusion inside a major organization’s internal network, going undetected for nearly a decade. The campaign, now called Operation Highland, revealed a level of patience and technical depth rarely seen in publicly documented intrusions. What made this attack particularly alarming was […] The post China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass appeared fi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
By Tushar Subhra Dutta
June 15, 2026
A sophisticated China-linked threat actor known as Velvet Ant has been running a long-term cyber intrusion inside a major organization’s internal network, going undetected for nearly a decade.
The campaign, now called Operation Highland, revealed a level of patience and technical depth rarely seen in publicly documented intrusions.
What made this attack particularly alarming was not just how far the attackers got, but how long they stayed hidden inside a network with no direct internet connection.
Velvet Ant did not breach this environment through a simple phishing email or brute-force attack. Instead, the group engineered a deliberate, multi-stage access chain that moved from internet-facing systems into a tightly isolated critical infrastructure network.
The attackers used publicly available tools as cover and modified them to blend in with normal activity, making detection nearly impossible using conventional security tools.
Analysts at Sygnia said in a report shared with Cyber Security News (CSN) that when their IR team began reconstructing the intrusion, the earliest forensic artifacts traced back to 2017, revealing nearly a full decade of undetected presence inside the internal network.
The investigation, named Operation Highland, exposed how Velvet Ant moved from internet-facing systems through the IT network to reach the most sensitive infrastructure segments.
Snippet from IDA showing the usage of GS-Netcat (Source – Sygnia)
Sygnia’s findings showed a consistent pattern: when detected, the group pivots to less-monitored infrastructure and rebuilds persistence from a new position.
The target network had no direct internet connectivity, which meant the attacker had to engineer a deliberate multi-stage chain to reach it. Velvet Ant staged through internet-facing systems and traversed the IT network to reach the critical infrastructure segment.
What made this operation distinct was how the attackers anchored their persistence not in a standard backdoor, but inside the authentication layer itself.
China-Nexus Hackers Use Backdoored PAM Modules
Once Velvet Ant pivoted into the segregated environment, they targeted the Pluggable Authentication Module (PAM) layer, a core Linux component that handles how every service authenticates users.
During the investigation, nine files of a backdoored pam_unix.so were identified across compromised hosts. The attackers replaced the legitimate PAM module with maliciously modified versions.
Execution of ‘auditdb’ tool (Source – Sygnia)
The targeted function, pam_sm_authenticate, normally retrieves a username and password and returns success or failure. In the modified versions, this function was patched to either accept a hardcoded backdoor password, harvest credentials from legitimate authentication attempts, or both.
When the backdoor password was entered, normal verification was bypassed entirely. The malicious library also overwrote the backdoor password string in memory with NULL values after bypass, making forensic recovery harder.
A custom flag was embedded to disable the attacker’s own credential and session logging, allowing the group to operate without leaving any recorded evidence of their activity.
Modified OpenSSH Binaries and Lateral Movement
Alongside the PAM manipulation, Velvet Ant deployed a modified version of GS-Netcat on internet-facing servers to establish a reverse shell to a remote C2 server. The binary was named auditd and placed in /usr/sbin/ to blend in with legitimate system utilities.
To evade detection, the binary overwrote its own process name with [kauditd], masquerading as a legitimate kernel thread in process listings.
To maintain persistence, the threat actor used different methods based on the server’s operating system. On newer servers running systemd, a malicious unit file was placed in /lib/systemd/system/, disguised as a Chrome service.
Decrypted credential dump (Source – Sygnia)
On older SysVinit servers, a malicious execution line was appended to startup scripts in /etc/init.d/. Velvet Ant also appended their own public keys to authorized_keys files on compromised servers, enabling persistent password-less access.
Sygnia recommended that organizations treat PAM, OpenSSH, LSASS, and privileged access paths as critical security controls. Deploying an EDR on all supported systems is essential for endpoint visibility and detection coverage.
Organizations should enable high-confidence alerts for authentication or system file modifications and harden privileged access paths.
Credentials should be rotated only after persistence is fully removed, and any remediation touching authentication components must include rollback options and emergency access plans to avoid locking administrators out of production systems.
Indicators of Compromise (IoCs):-
Type Indicator Description
File Name pam_unix.so Backdoored PAM module used to bypass authentication and harvest credentials
File Name auditd Malicious GS-Netcat binary placed in /usr/sbin/ to masquerade as a legitimate audit daemon
File Path /usr/sbin/auditd Deployment path of the malicious reverse shell binary
File Path /lib/systemd/system/ Location of malicious systemd unit file disguised as a Chrome service
File Path /etc/init.d/ SysVinit startup script path appended with malicious execution line
File Path /usr/share/man9/ph.man Storage path for encrypted credential dump files
File Path /var/lib/eth-scs/libeth.so RPATH entry found in backdoored pam_unix.so variants
File Path /etc/rc/Linux-PAM-[PAM version]/libpam.libs:lib64 RPATH format found in backdoored pam_unix.so variants
Process Name [kauditd] Disguised process name used by malicious auditd binary to mimic a kernel thread
Tool GS-Netcat (modified) Modified version of the public GS-Netcat tool used as an encrypted reverse shell
Tool SOCKS5 Perl proxy script Custom Perl-based SOCKS5 proxy used for lateral movement and traffic tunneling
Credential File /usr/share/man@/ph.ph.man Encrypted file used to store harvested SSH and local login credentials
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer
GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers
Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
Latest News
Cyber Security News
PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini
Cyber Security News
Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT
Cyber Security News
Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More
Cyber Security News
Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
Cyber Security
SecSuite – AI-powered Tool for OSINT, Web and API Security Testing