Sygnia researchers found that a China linked group replaced the Linux login stack itself with backdoored copies, surviving nearly a decade of standard containment. The case exposes a defensive blind spot the usual playbook misses.
Every credential reset. Every session killed. The network scanned again from the inside. And still the attacker was there, watching. Not because the defender had missed a malware sample, and not because a stolen password had not been rotated fast enough. The reason was simpler and more uncomfortable: the software that was supposed to check those credentials was no longer the software defenders thought it was. It had been swapped out years before, and the replacements were quietly logging in the operator who had put them there.
That is the picture that incident-response firm Sygnia has now published of a compromise it observed inside the Linux authentication stack of one organization. Researchers found that a China-linked group Sygnia tracks as Velvet Ant replaced core login components on the target's systems with backdoored versions, then sat inside the environment for years, surviving every standard containment cycle defenders are trained to run, as reported in The Hacker News.
The mechanism is what makes the case unusual. The attackers did not drop new malware and they did not need an exploit. They performed in-place replacements of the trusted login binaries themselves: the Pluggable Authentication Modules (PAM), the Linux component that decides who is allowed to sign in, and OpenSSH, the standard encrypted-login tool on most Linux servers. Once those binaries were backdoored, every username and password typed at a console, terminal, or SSH session flowed through attacker-controlled code. The login screen behaved exactly as a defender would expect. The verifier behind it was no longer on the operator's side.
Sygnia's write-up, summarized by The Hacker News, describes nine distinct backdoored PAM variants in the affected environment. Some accepted a secret password that would silently authenticate anyone who knew it, regardless of whether the account existed. Others did not change behavior visibly at all. They simply recorded the real usernames and passwords being typed and handed them to the attacker, then handed the user a normal session as if nothing had happened. The same approach was used against the OpenSSH components that handle authentication, capturing credentials at the moment a user proved who they were.
That is the part that breaks the standard containment playbook. Resetting passwords, killing active sessions, scanning for known malware, rotating keys: each of these assumes the login stack is honest. If the PAM module is recording the new password as it is set, the reset is captured. If the SSH component is logging in the operator, killing the session ends the defender's investigation, not the attacker's access. The attack lives inside the verifier, so the verifier's own work is now the threat.
Earliest traces Sygnia identified go back to 2016, putting dwell time at close to a decade before the team was called in. The final target was an air-gapped network, the kind of segment that is supposed to be insulated from the public internet by the absence of any direct path. The attacker did not respect that boundary. They staged through internet-facing systems first, lived in those systems long enough to find a bridge into the air-gapped segment, and used that bridge to carry the same login-binary swap across. The air gap, in other words, was a network property. It was not a property of the software the air-gapped network was running.
The case fits a pattern Sygnia has tracked against the same actor. Earlier reporting from the firm has tied Velvet Ant to the repurposing of F5 BIG-IP load balancers, internet-exposed network appliances, as command-and-control infrastructure, and to exploitation of a specific previously patched flaw, CVE-2024-20399, in Cisco's NX-OS switch software, the operating system on Cisco's data-center switches. The through-line is the same: durable, boring trust anchors, login software, load balancers, and switch operating systems, that nobody is treating as software at all.
That framing is the part worth taking seriously. "Login stack" sounds like a piece of infrastructure to be installed once and trusted, the way a door lock is installed once and trusted. The decade-long PAM case is a reminder that the door lock is software, and software can be replaced. The defensive response is to act as if it has been. That means integrity verification of the authentication binaries themselves, not just of the endpoints they sit on. It means monitoring PAM and OpenSSH files for unauthorized changes the way organizations already watch for changes to other system files. It means treating login software, switch operating systems, and load-balancer appliances as untrusted by default, on the assumption that they are exactly the kind of boring, well-positioned place an operator can live for years.
There is a temptation to read the China-linked label and treat the campaign as a geopolitical problem, or to read the decade of dwell time and treat it as a story about inevitability. Neither framing is the one the research supports. The specific failure here is contained: the assumption that the credential checker is clean. That is a fixable assumption. Once a security team integrity-verifies the auth stack, watches the login binaries, and stops trusting the boring pieces by default, the verifier stops being a comfortable place to hide. The next operator who tries it will be operating on borrowed time, not a decade of it.