Deep Persistence: Analyzing Velvet Ant’s Engineered Backdoors in the Authentication Stack

A sophisticated, long-term espionage campaign attributed to the China-nexus actor known as Velvet Ant has revealed a highly engineered approach to persistence. Rather than relying on common malware, the actor has systematically compromised the core authentication stack by deploying modified OpenSSH binaries and tampered PAM (Pluggable Authentication Modules). These modifications allow for the silent exfiltration of credentials, real-time command logging, and advanced evasion of traditional security monitoring.

Uncovered during Sygnia’s Operation Highland investigation, the campaign demonstrates a decade-long undetected presence. The actor successfully bridged the gap into highly segregated, air-gapped critical infrastructure networks through a multi-stage, deliberate access chain designed to survive standard remediation efforts like password rotations or session terminations.

The Three-Phase Intrusion Lifecycle

Velvet Ant’s methodology follows a structured progression aimed at deep-network penetration:

1. Initial Foothold & Persistence: The actor established a presence on internet-facing Linux servers using custom tooling. This included a modified reverse-shell dubbed auditdb (based on Netcat) and bespoke SOCKS5 proxy scripts. To ensure survival across reboots, these implants were integrated into systemd units or SysVinit scripts, often disguised as legitimate system processes to evade detection in process lists.
2. Network Pivoting: Using compromised Nginx web infrastructure and FastCGI wrappers, the actor executed remote binaries to bridge the gap between standard IT environments and isolated OT (Operational Technology) segments.
3. Authentication Subversion: The final and most critical phase involved the replacement of legitimate pam_unix.so modules and OpenSSH binaries with backdoored versions.

On modern systemd-based distributions, investigators found malicious unit files located in /lib/systemd/system/, cleverly masquerading as “Chrome services” to blend into the background noise of a standard server environment.

Engineered Backdoors: OpenSSH and PAM Manipulation

The core of Velvet Ant’s capability lies in the surgical modification of the authentication workflow. By replacing pam_unix.so and the OpenSSH suite (including ssh, sshd, scp, and ssh-keygen), they turned the system’s security gatekeepers into surveillance tools.

PAM Module Subversion

Forensic analysis identified nine distinct variants of backdoored pam_unix.so modules. The existence of these various builds suggests a highly mature, automated build pipeline. The functional capabilities of these modules included:

• Authentication Bypass: Specific variants allowed access via hardcoded “master” passwords.
• Credential Harvesting: Modules captured legitimate username/password pairs and cached them in hidden local files.
• Memory Obfuscation: High-level operational security (OPSEC) was observed, with modules attempting to erase backdoor-related strings from memory to prevent detection by memory scanners.

OpenSSH Command and Credential Logging

The modified sshd binary acted as a sophisticated keylogger and data exfiltrator. It recorded all interactive shell input and saved session logs to /usr/share/man9/ph/. To avoid detection through pattern matching, filenames were generated using an MD5 hash of the connected user and the TTY.

Furthermore, the implants included “attacker-only” features to facilitate seamless operations:

• A custom -d flag to temporarily disable all logging while the attacker is active.
• An scp option that allowed the process to masquerade as a legitimate kernel thread.
• The ability to programmatically disable SELinux when running with root privileges.

The Remediation Dilemma

The Velvet Ant campaign presents a unique challenge for incident responders. Traditional remediation—such as rotating passwords or deleting suspicious user accounts—is ineffective if the underlying binary responsible for validating those credentials is itself malicious. In fact, incorrect remediation can be more dangerous than the intrusion itself.

Sygnia warns that in highly sensitive, zero-downtime environments, replacing PAM modules or OpenSSH binaries with unverified or incorrect versions can lead to catastrophic lockout, effectively performing a self-inflicted Denial of Service (DoS) on critical infrastructure.

Defensive Recommendations

To mitigate the risk of authentication-layer compromise, organizations should adopt a “verify everything” posture regarding core system binaries:

• File Integrity Monitoring (FIM): Implement aggressive monitoring on critical paths, specifically /lib/security/, /usr/sbin/sshd, and /etc/pam.d/.
• Enhanced Telemetry: Ensure that logs from isolated or air-gapped segments are relayed to a centralized, hardened SIEM via secure, one-way data diodes or approved relays.
• Hardened Access Control: Disallow direct root SSH logins, utilize hardened jump hosts, and require named administrative accounts.
• Immutable Infrastructure: Where possible, move toward a model of validated “golden images” for rapid, known-good recovery, ensuring that offline rollback procedures are tested and functional.