Velvet Ant Linux Login Backdoors: Check PAM and OpenSSH

June 12, 2026 update: Linux and hosting admins should review login-stack integrity after Sygnia’s Operation Highland report described how the China-nexus group Velvet Ant replaced PAM and OpenSSH components during a long-running intrusion. The Hacker News later summarized the same report for a broader audience.

Plain-English impact: if the component that checks logins has been replaced, a normal password reset may not be enough. The attacker may still see new credentials or keep a hidden way back in until the trusted login files are restored, the host is rebuilt, or both.

This is a protect-only checklist. It does not copy indicators, modified code details, or attacker workflow. The goal is to help admins decide when to verify package integrity, isolate a host, rebuild cleanly, and rotate credentials in the right order.

Who should act

• Linux server admins responsible for SSH-accessible servers, jump boxes, monitoring systems, build hosts, or backup servers.
• Web hosts and agencies that manage customer sites from shared administrator workstations or bastion hosts.
• Critical-infrastructure and internal-network teams with Linux hosts that are treated as trusted just because they are not directly public.
• Teams that recently handled an intrusion where credential resets did not end suspicious access.

What Sygnia reported

Sygnia says its investigation found activity dating back to 2016 in an internal environment. The actor first reached internet-facing systems, moved toward a more sensitive network, and then modified the Linux authentication layer on multiple hosts. Sygnia specifically calls out replaced PAM modules and altered OpenSSH programs as part of the persistence story.

For day-to-day admins, the important lesson is not the actor name. It is the trust boundary. Login software, appliance firmware, load balancers, switches, and bastion hosts are often assumed to be reliable. Operation Highland is a reminder to verify the trust layer itself after a serious incident.

Immediate checklist

1. Inventory SSH-accessible Linux hosts. Include production servers, jump boxes, CI workers, backup hosts, admin workstations, monitoring systems, and legacy appliances with Linux underneath.
2. Check package integrity from trusted sources. Use your distribution’s package verification and package reinstall paths for PAM, OpenSSH, and related authentication packages. Do this from a trusted admin machine.
3. Treat unexpected login-stack changes as a rebuild trigger. If core authentication files do not match trusted packages, assume the host is not safe for normal administration.
4. Do not rotate passwords too early. Replace or rebuild the compromised login layer first. Then rotate passwords, SSH keys, API keys, deployment keys, and privileged tokens.
5. Review bastion and admin paths. A single jump host can expose many sites, customers, repositories, and control panels.
6. Preserve evidence before wiping high-value hosts. If this is a real incident, collect only what your incident-response process requires and keep that evidence off the suspect machine.
7. Verify after rebuild. Confirm package integrity, SSH configuration, MFA or key policy, service startup, logs, monitoring, backups, and application access before returning the host to trusted use.

Hosting admin notes

For web hosts, the risk is bigger than one Linux server. A compromised admin workstation or jump box can expose WordPress maintenance accounts, Git repositories, deployment jobs, control panels, DNS providers, storage accounts, and client application records. Build your response plan around the access the machine had, not only the machine itself.

If a hosting node or management server may be affected, plan the work like a maintenance window: confirm backups, prepare a clean replacement, drain customer traffic where possible, preserve needed evidence, rebuild from trusted media, restore only reviewed data, then rotate credentials after the clean system is in charge.

Longer-term hardening

• Monitor changes to authentication packages and SSH server files.
• Keep bastion hosts small, patched, logged, and separate from general browsing or development work.
• Use least-privilege access for deployment keys, backup accounts, and automation tokens.
• Require MFA or hardware-backed authentication where your stack supports it.
• Record known-good package baselines for high-value Linux hosts.
• Include network appliances and load balancers in incident reviews, not only servers.

Related Fix I.T. Phill reading

• Arch AUR Atomic Arch supply-chain checklist
• Cifswitch Linux kernel patch guide
• Ivanti Sentry patch guide
• Oracle PeopleSoft emergency mitigation guide

Sources

• Sygnia Operation Highland report
• The Hacker News summary
• Sygnia earlier Velvet Ant F5 research
• Sygnia Cisco Nexus advisory background

Need help checking Linux servers or jump boxes after a suspected compromise? Fix I.T. Phill can help review login-stack integrity, plan clean rebuilds, rotate exposed credentials, and harden the admin path before it touches production again.