China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Sygnia attributes attacks by a China-nexus group tracked as Velvet Ant to backdooring Linux authentication paths by altering PAM and OpenSSH login components that control who can sign in. The malware appears to have persisted from at least 2016 by replacing trusted login binaries—sometimes to capture real usernames and passwords and sometimes to execute hidden behavior—so standard recovery steps like password resets and session termination may fail. The same actor has previously targeted other products, including F5 BIG-IP and Cisco NX-OS, and Cisco NX-OS exploitation tied to CVE-2024-20399 (with admin access required) was reported as part of its persistence activity, underscoring why integrity checks for critical authentication software matter.