China-Linked Velvet Ant Group Backdoored Linux Login Software for Nearly a Decade in Operation Highland
By
CybersecurityNews
Summary
Security firm Sygnia has uncovered a long-running cyber espionage campaign called Operation Highland, linked to the China-nexus threat group Velvet Ant. The group backdoored Linux PAM (Pluggable Authentication Modules) and OpenSSH components to steal credentials and maintain persistent access on isolated networks, hiding inside trusted login infrastructure rather than deploying obvious malware. The operation has been active since at least 2016, demonstrating how sophisticated adversaries can evade detection by tampering with critical system files that defenders typically trust.
Source
bskyChina-Linked Velvet Ant Group Backdoored Linux Login Software for Nearly a Decade in Operation Highlandhendryadrian.comKey quotes
· 4 pulledSygnia says China-nexus group Velvet Ant spent nearly a decade hiding inside Linux login components, backdooring PAM and OpenSSH to steal credentials and maintain access on isolated networks.
The campaign, called Operation Highland, shows how tampering with trusted infrastructure can evade normal cleanup and why defenders must verify critical system files.
Velvet Ant hid inside Linux PAM and OpenSSH components instead of using obvious malware.
The group has been active since at least 2016 and targeted isolated networks.
You might also wanna read
Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
Analysis: Sophisticated Backdoor Campaign Targets Ivanti EPMM Using Dormant Shells
A February 2026 cybersecurity campaign targeted Ivanti Endpoint Manager Mobile (EPMM) systems with sophisticated backdoor techniques. Instea
North Korean Hackers Exploit Visual Studio Code to Deploy Backdoor Malware via Git Repositories
Jamf Threat Labs has identified North Korean threat actors expanding their abuse of Microsoft Visual Studio Code to deploy backdoor malware.
Bitwarden CLI 2026.4.0 Compromised in Checkmarx Supply Chain Attack via GitHub Action
Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. Th

Malicious Backdoor Discovered in XZ Utils Compression Software Affecting Linux Systems
The article details the discovery of a sophisticated backdoor in the XZ Utils compression software, a critical open-source component used in
Early Exploitation of React2Shell Vulnerability (CVE-2025-55182) Targets Critical Infrastructure
The article details early exploitation activity following the public disclosure of the critical React2Shell vulnerability (CVE-2025-55182).

Comments
Sign in to join the conversation.
No comments yet. Be the first.