China-Nexus Hackers Exploit PAM Modules Backdoored Credential
For nearly a decade, a sophisticated China-linked threat actor known as Velvet Ant has maintained an undetected cyber intrusion within a major organization’s internal network. The campaign, now...
For nearly a decade, a sophisticated China-linked threat actor known as Velvet Ant has maintained an undetected cyber intrusion within a major organization’s internal network.
The campaign, now called Operation Highland, revealed a level of patience and technical depth rarely seen in publicly documented intrusions.
What made this attack particularly alarming was not just how far the attackers got, but how long they stayed hidden inside a network with no direct internet connection.
Velvet Ant did not breach this environment through a simple phishing email or brute-force attack. Instead, the group engineered a deliberate, multi-stage access chain that moved from internet-facing systems into a tightly isolated critical infrastructure network.
The attackers used publicly available tools as cover and modified them to blend in with normal activity, making detection nearly impossible using conventional security tools.
Analysts at Sygnia said in a report shared with Cyber Security News (CSN) that when their IR team began reconstructing the intrusion, the earliest forensic artifacts traced back to 2017, revealing nearly a full decade of undetected presence inside the internal network.
The investigation, named Operation Highland, exposed how Velvet Ant moved from internet-facing systems through the IT network to reach the most sensitive infrastructure segments.
Sygnia’s findings showed a consistent pattern: when detected, the group pivots to less-monitored infrastructure and rebuilds persistence from a new position.
The target network had no direct internet connectivity, which meant the attacker had to engineer a deliberate multi-stage chain to reach it. Velvet Ant staged through internet-facing systems and traversed the IT network to reach the critical infrastructure segment.
What made this operation distinct was how the attackers anchored their persistence not in a standard backdoor, but inside the authentication layer itself.
China-Nexus Hackers Use Backdoored PAM Modules
Once Velvet Ant pivoted into the segregated environment, they targeted the Pluggable Authentication Module (PAM) layer, a core Linux component that handles how every service authenticates users.
During the investigation, nine files of a backdoored pam_unix.so were identified across compromised hosts. The attackers replaced the legitimate PAM module with maliciously modified versions.
The targeted function, pam_sm_authenticate, normally retrieves a username and password and returns success or failure. In the modified versions, this function was patched to either accept a hardcoded backdoor password, harvest credentials from legitimate authentication attempts, or both.
When the backdoor password was entered, normal verification was bypassed entirely. The malicious library also overwrote the backdoor password string in memory with NULL values after bypass, making forensic recovery harder.
A custom flag was embedded to disable the attacker’s own credential and session logging, allowing the group to operate without leaving any recorded evidence of their activity.
Modified OpenSSH Binaries and Lateral Movement
Alongside the PAM manipulation, Velvet Ant deployed a modified version of GS-Netcat on internet-facing servers to establish a reverse shell to a remote C2 server. The binary was named auditd and placed in /usr/sbin/ to blend in with legitimate system utilities.
To evade detection, the binary overwrote its own process name with [kauditd], masquerading as a legitimate kernel thread in process listings.
To maintain persistence, the threat actor used different methods based on the server’s operating system. On newer servers running systemd, a malicious unit file was placed in /lib/systemd/system/, disguised as a Chrome service.
On older SysVinit servers, a malicious execution line was appended to startup scripts in /etc/init.d/. Velvet Ant also appended their own public keys to authorized_keys files on compromised servers, enabling persistent password-less access.
Sygnia recommended that organizations treat PAM, OpenSSH, LSASS, and privileged access paths as critical security controls. Deploying an EDR on all supported systems is essential for endpoint visibility and detection coverage.
Organizations should enable high-confidence alerts for authentication or system file modifications and harden privileged access paths.
Credentials should be rotated only after persistence is fully removed, and any remediation touching authentication components must include rollback options and emergency access plans to avoid locking administrators out of production systems.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | pam_unix.so | Backdoored PAM module used to bypass authentication and harvest credentials |
| File Name | auditd | Malicious GS-Netcat binary placed in /usr/sbin/ to masquerade as a legitimate audit daemon |
| File Path | /usr/sbin/auditd | Deployment path of the malicious reverse shell binary |
| File Path | /lib/systemd/system/ | Location of malicious systemd unit file disguised as a Chrome service |
| File Path | /etc/init.d/ | SysVinit startup script path appended with malicious execution line |
| File Path | /usr/share/man9/ph.man | Storage path for encrypted credential dump files |
| File Path | /var/lib/eth-scs/libeth.so | RPATH entry found in backdoored pam_unix.so variants |
| File Path | /etc/rc/Linux-PAM-[PAM version]/libpam.libs:lib64 | RPATH format found in backdoored pam_unix.so variants |
| Process Name | [kauditd] | Disguised process name used by malicious auditd binary to mimic a kernel thread |
| Tool | GS-Netcat (modified) | Modified version of the public GS-Netcat tool used as an encrypted reverse shell |
| Tool | SOCKS5 Perl proxy script | Custom Perl-based SOCKS5 proxy used for lateral movement and traffic tunneling |
| Credential File | /usr/share/man@/ph.ph.man | Encrypted file used to store harvested SSH and local login credentials |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.