Back to Intelligence

Velvet Ant Linux Backdoor: Detection and Remediation of PAM and OpenSSH Compromise

SA
Security Arsenal Team
June 13, 2026
6 min read

By Senior Security Consultant, Security Arsenal

Introduction

We are tracking a highly sophisticated persistence operation attributed to the China-nexus threat group tracked by Sygnia as Velvet Ant. Unlike standard adversaries who rely on webshells or cron jobs, Velvet Ant has achieved near-unprecedented stealth by backdooring the core authentication mechanisms of Linux systems: Pluggable Authentication Modules (PAM) and OpenSSH.

By compromising the binaries responsible for user validation, the attackers have maintained access on targeted networks for close to a decade—often hiding in plain sight. Because the malware resides within the trusted login components, standard file integrity monitoring (FIM) may have been bypassed or the alerts ignored if the changes were initially mistaken for administrative updates. This is not a historical curiosity; this activity is active, current, and poses a critical risk to Linux infrastructure in 2026.

Technical Analysis

The Target: PAM (Pluggable Authentication Modules) and the OpenSSH daemon (sshd).

The Mechanism: The attack involves the modification of shared libraries used by PAM (typically found in /lib/security/ or /lib64/security/) or the sshd binary itself (/usr/sbin/sshd). This allows the actor to:

  1. Bypass Authentication: Accept a specific, hardcoded master password or certificate for any user, including root.
  2. Evade Logging: Modify the logging behavior within the authentication stack to hide successful malicious logins from auth.log or secure logs, while potentially maintaining logs for legitimate users to avoid suspicion.
  3. Persistence: Survive OS updates if the package manager does not force-overwrite modified configuration or binary files, or if the malware reinjects itself post-update.

Exploitation Status: Confirmed active exploitation. The longevity of this campaign (nearly a decade) suggests deep access to the software supply chain or extremely thorough initial compromise operations that allowed for the subversion of base OS images.

CVE Identifier: While this specific activity involves the subversion of standard software, there is no specific 2025/2026 CVE listed in the current reporting. The threat is defined by the Compromise of Integrity rather than a specific software vulnerability exploit in the traditional sense. Defenders must treat this as an Active Compromise rather than a vulnerability patch cycle.

Detection & Response

Detecting this threat requires looking beyond standard authentication logs. You must hunt for file system anomalies on the critical authentication binaries.

SIGMA Rules

The following Sigma rules focus on file modification events for the critical PAM libraries and the SSH daemon, assuming the use of File Integrity Monitoring (FIM) or Sysmon for Linux.

YAML
---
title: Velvet Ant - Suspicious Modification of OpenSSH Binary
id: 8c4e2a10-9f3b-4c1d-8a2e-1a2b3c4d5e6f
status: experimental
description: Detects modifications to the OpenSSH daemon binary, which may indicate a backdoor injection by Velvet Ant or similar actors.
references:
 - https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
author: Security Arsenal
date: 2026/06/15
tags:
 - attack.persistence
 - attack.t1554.004
logsource:
 product: linux
 category: file_event
detection:
 selection:
  TargetFilename|endswith:
   - '/usr/sbin/sshd'
  - '/usr/local/bin/sshd'
 condition: selection
falsepositives:
  - Legitimate OpenSSH updates or recompilations by system administrators
level: high
---
title: Velvet Ant - Suspicious Modification of PAM Libraries
id: 9d5f3b21-0a4c-5d2e-9b3f-2b3c4d5e6f7a
status: experimental
description: Detects modifications to PAM shared libraries (pam_unix.so, etc.), a common persistence mechanism for high-level threat actors.
references:
 - https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
author: Security Arsenal
date: 2026/06/15
tags:
 - attack.persistence
 - attack.t1554.004
logsource:
 product: linux
 category: file_event
detection:
 selection:
  TargetFilename|contains:
   - '/lib/security/'
   - '/lib64/security/'
  TargetFilename|endswith:
   - '.so'
 condition: selection
falsepositives:
  - Operating system updates (pam package updates)
  - Legitimate system administration
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for modifications to the specific directories and binaries associated with SSH and PAM. This requires Linux data ingestion via Syslog or CEF, or the DeviceFileEvents table if Microsoft Defender for Endpoint is deployed.

KQL — Microsoft Sentinel / Defender
DeviceFileEvents
| where Timestamp > ago(30d)
| where (FolderPath endswith @"/usr/sbin/sshd" or FolderPath endswith @"/usr/local/bin/sshd") or 
       (FolderPath contains @"/lib/security" and FolderPath endswith @".so") or
       (FolderPath contains @"/lib64/security" and FolderPath endswith @".so")
| project Timestamp, DeviceName, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc

Velociraptor VQL

Use this Velociraptor artifact to hunt for discrepancies in the file hashes of critical authentication binaries against what the package manager expects. This helps identify binaries that have been modified on disk without a corresponding package update record.

VQL — Velociraptor
-- Hunt for modified PAM and SSH binaries
SELECT 
  OSPath.Basename AS Name,
  OSPath.Path AS Path,
  Size,
  Mode.String AS Mode,
  Mtime AS ModifiedTime,
  hash(path=OSPath) AS Hash
FROM glob(globs=["/lib/security/*.so", "/lib64/security/*.so", "/usr/sbin/sshd"])
WHERE Mode.String =~ ".*rwx.*" OR Size < 10000
-- Note: Defenders should compare the resulting Hash against 
-- known good values from a clean identical OS version.

Remediation Script (Bash)

If you suspect a compromise or want to verify integrity across your fleet, use this script to force a reinstatement of the authentication packages from the trusted distribution repositories. Note: This uses apt for Debian/Ubuntu; adjust yum/dnf for RHEL/CentOS.

Bash / Shell
#!/bin/bash

# Velvet Ant Remediation: Restore PAM and OpenSSH Integrity
# Run with root privileges

LOG_FILE="/var/log/velvet_ant remediation_$(date +%Y%m%d_%H%M%S).log"
echo "Starting remediation check at $(date)" | tee -a $LOG_FILE

# Detect OS Family
if [ -f /etc/debian_version ]; then
    PKG_MANAGER="apt"
    echo "Detected Debian/Ubuntu based system." | tee -a $LOG_FILE
elif [ -f /etc/redhat-release ]; then
    PKG_MANAGER="yum"
    echo "Detected RHEL/CentOS based system." | tee -a $LOG_FILE
else
    echo "Unsupported OS. Please manually verify openssh-server and pam packages." | tee -a $LOG_FILE
    exit 1
fi

# Function to verify and reinstall
verify_reinstall() {
    local pkg="$1"
    echo "Verifying $pkg..." | tee -a $LOG_FILE
    
    if [ "$PKG_MANAGER" = "apt" ]; then
        # Verify configuration and reinstall
        DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y "$pkg" | tee -a $LOG_FILE
    elif [ "$PKG_MANAGER" = "yum" ]; then
        # Reinstall
        yum reinstall -y "$pkg" | tee -a $LOG_FILE
    fi
}

# 1. Restore OpenSSH Server
verify_reinstall "openssh-server"

# 2. Restore PAM modules (package names vary, usually libpam-modules or pam)
if [ "$PKG_MANAGER" = "apt" ]; then
    verify_reinstall "libpam-modules"
    verify_reinstall "libpam-modules-bin"
elif [ "$PKG_MANAGER" = "yum" ]; then
    verify_reinstall "pam"
fi

echo "Remediation complete. Please restart sshd service." | tee -a $LOG_FILE
systemctl restart sshd
echo "SSHD restarted." | tee -a $LOG_FILE

Remediation

  1. Isolate Suspicious Hosts: If active modifications are detected or the backdoor is confirmed, immediately isolate the affected Linux endpoints from the network to prevent further lateral movement by the actor.

  2. Force Package Reinstallation: Do not rely on manual file replacement. Use the native package manager (e.g., apt-get install --reinstall, yum reinstall) to overwrite the compromised binaries with the vendor-signed versions from your official repositories.

  3. Audit User Accounts: Since the attackers bypassed authentication, assume all credentials on the host are compromised. Force a password reset for all local users and rotate SSH keys. Review /etc/passwd and /etc/shadow for unauthorized users or UID 0 accounts.

  4. Review PAM Configuration: Inspect /etc/pam.d/ for any unusual pam_unix.so arguments or references to unknown libraries. Backdoors often insert arbitrary control paths here.

  5. Hunt Laterally: The Velvet Ant group has maintained access for nearly a decade. Assume the compromise has spread. Check all Linux servers in the environment for the same file integrity anomalies.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionvelvet-antlinux-pamopenssh

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action