
Hackers Hide in Linux Login Gateways, Persisting for a Decade
A China-linked group known as Velvet Ant spent nearly a decade quietly compromising the Linux login stack (PAM and OpenSSH), replacing trusted login binaries with backdoors that harvest credentials and commands and, in some cases, accept secret passwords. They first breached internet-facing systems to reach an isolated network, then lurked inside the login process itself, making containment difficult. The operation adds to the group's history of targeting infrastructure such as F5 BIG-IP appliances and Cisco NX-OS devices (CVE-2024-20399). The recommended defense is integrity-based: monitor and compare PAM/OpenSSH binaries and key files against known-good copies, test replacements in a lab, and perform careful cleanup before resets. Patching alone won’t suffice when the login layer itself is compromised.













