Velvet Ant Hides in PAM and OpenSSH to Turn Linux Authentication Into a Backdoor

A Linux PAM backdoor is one of the most dangerous forms of persistence because it attacks the system’s trust boundary. PAM, or Pluggable Authentication Modules, helps Linux systems validate users. OpenSSH enables secure remote access and administrative sessions. When attackers compromise these components, they do not need to break authentication repeatedly. They can make authentication work for them.

According to reports, China-linked hackers tracked as Velvet Ant modified Linux PAM and OpenSSH components as part of a long-running intrusion campaign that reportedly dates back to 2016. Instead of dropping obvious standalone malware, the attackers altered trusted login software. This allowed them to hide inside normal authentication workflows and maintain access for years.

For enterprise security teams, the lesson is direct: identity security depends on the integrity of the software enforcing authentication.

A Look into the incident

The reported campaign involved modified PAM modules and altered OpenSSH components across Linux systems. These changes turned legitimate login infrastructure into an attacker-controlled persistence layer.

Key reported activity included:

• Backdoored PAM modules that accepted a secret password.
• Credential-harvesting PAM components that captured real usernames and passwords during legitimate login.
• Modified OpenSSH binaries that logged credentials and shell commands.
• Hidden controls that allowed attackers to disable logging when they needed less exposure.
• Relay-based access through internet-facing systems into an isolated network segment.
• Long-term stealth inside infrastructure defenders may not routinely integrity-check.

This approach made the campaign harder to detect because authentication appeared to succeed through trusted components. Defenders looking only for external malware could miss the real persistence mechanism.

Why the Linux PAM backdoor matters

A Linux PAM backdoor compromises the mechanism that decides whether users can access a system. That makes it more dangerous than many conventional implants.

A typical malware infection may involve suspicious files, unknown processes, or unusual outbound traffic. A Linux PAM backdoor can sit inside the login flow itself. It can accept attacker-controlled passwords, collect legitimate credentials, or help attackers regain access after cleanup.

This creates three major security problems:

This is why incident response teams must verify authentication components before rotating credentials. If PAM remains compromised, password resets can simply feed fresh credentials to the attacker.

How the OpenSSH backdoor increased attacker visibility

The OpenSSH backdoor reportedly gave Velvet Ant more than access. It gave visibility into administrator behavior.

Modified OpenSSH components could help attackers observe:

• Usernames and passwords typed during access attempts.
• Commands entered during shell sessions.
• Administrative workflows inside the compromised environment.
• Movement patterns across systems.
• Sensitive operational details exposed through interactive sessions.

This kind of visibility helps attackers adapt. They can learn which systems matter, which accounts have privileges, and which commands administrators run during investigation or cleanup.

An OpenSSH backdoor also creates a serious problem for segmented environments. Even when a sensitive network has no direct internet access, attackers can bridge access through systems that do face the internet. In this case, the attackers reportedly used internet-facing systems as relay points to reach the isolated segment.

Segmentation still matters, but it cannot compensate for compromised administrative paths.

Why China-linked hackers target less-monitored infrastructure

The Velvet Ant campaign fits a broader pattern: China-linked hackers often hide inside infrastructure that organizations trust but do not monitor deeply enough.

Attackers gain an advantage when they compromise:

• Authentication components.
• Network appliances.
• Remote access systems.
• Administrative jump hosts.
• Internal Linux servers.
• Infrastructure connecting isolated and internet-facing environments.

These assets often sit outside the visibility of standard endpoint monitoring programs. They may run for years with limited integrity checks, irregular patching, and weaker behavioral monitoring than user endpoints.

That is exactly why a Linux PAM backdoor and an OpenSSH backdoor are so effective. They live inside software administrators expect to be present. They abuse trust rather than creating obvious noise.

What enterprises should do now

Security teams should add PAM and OpenSSH integrity checks to Linux hardening and incident response playbooks.

Start with these actions:

• Compare PAM modules against trusted package sources or golden images.
• Verify OpenSSH binaries and configuration files.
• Inspect recent changes to authentication-related files and libraries.
• Review SSH configuration for unexpected options or modifications.
• Audit authorized_keys files for unauthorized entries.
• Investigate unusual SSH activity, especially from administrative systems.
• Review internet-facing servers that can relay access into internal segments.
• Validate authentication software before forcing password resets.
• Rotate credentials only after restoring trusted login components.
• Monitor for re-entry attempts after remediation.

This order matters. If defenders reset passwords before removing the Linux PAM backdoor or OpenSSH backdoor, they may give attackers new credentials.

Where Hexnode helps strengthen Linux fleet integrity

Hexnode UEM can help organizations bring Linux endpoints under centralized management. It supports Linux enrollment through CLI-based workflows, allowing administrators to manage Linux devices from the Hexnode console. This matters because unmanaged Linux systems often become visibility gaps during long-running intrusions.

Hexnode UEM also supports remote custom script execution on Linux endpoints using Bash scripts. Security and IT teams can use this capability to run controlled checks across managed Linux devices.

For a Linux PAM backdoor investigation, administrators can use Hexnode UEM’s Execute Custom Script action to deploy validated Bash scripts to managed Linux devices for administrator-defined system monitoring or custom operations.

Hexnode’s Linux OS update action also helps administrators deploy system patches, security updates, and critical fixes to managed Linux endpoints. Patching alone will not remove a maliciously replaced authentication component in every case, but consistent update management reduces exposure to known vulnerabilities that attackers may use to gain privileged access.

Hexnode UEM can also enforce Linux password policies, including password length, password age, expiration warnings, and character-class requirements. Strong password controls cannot neutralize a compromised PAM module, but they remain essential after defenders restore trusted authentication software.

Conclusion

Velvet Ant’s campaign shows that attackers do not always need to bypass authentication. They can compromise authentication itself.

A Linux PAM backdoor can turn legitimate logins into credential theft. An OpenSSH backdoor can expose commands, sessions, and administrator behavior. China-linked hackers used this approach to stay hidden because they targeted trusted components that many organizations do not inspect closely enough.

Enterprises should respond by treating PAM and OpenSSH as critical security assets. Verify them. Monitor them. Baseline them. Restore trusted components before resetting credentials. Then use centralized endpoint management and detection workflows to keep Linux authentication infrastructure visible, hardened, and accountable.