China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

The intrusion underscores a growing trend where threat actors target the software supply chain rather than individual applications. By subverting PAM (Pluggable Authentication Modules) and OpenSSH—components that every Linux system trusts by default—Velvet Ant achieved a level of persistence that traditional endpoint detection tools struggle to spot. This approach mirrors earlier supply‑chain attacks on container images and firmware, where the malicious code is baked into trusted binaries, making it indistinguishable from legitimate system files during routine scans.

Velvet Ant’s tactics reflect a sophisticated understanding of operational realities. Instead of deploying noisy malware, the group quietly swapped out login binaries, embedding secret backdoors that could be toggled on demand. The attackers also leveraged an internet‑facing web server as a bridge to reach an air‑gapped segment, demonstrating that even isolated environments are vulnerable when trusted services are compromised. Such depth‑first movement bypasses perimeter defenses and renders common remediation steps—like password rotations—ineffective because the compromised authentication layer continues to harvest new credentials.

For security teams, the lesson is clear: integrity verification must extend to the authentication stack. Deploying file‑integrity monitoring, maintaining immutable baselines of PAM and OpenSSH binaries, and conducting regular hash comparisons can surface unauthorized changes before they are exploited. Additionally, organizations should adopt a zero‑trust mindset for privileged access, incorporating multi‑factor authentication and hardware‑based attestation for critical login services. As attackers continue to weaponize trusted infrastructure, proactive verification will become a cornerstone of resilient Linux security strategies.