China Hackers Hid in Linux Login for a Decade

Emily Davis · 2026-06-12

You might think the best way to stay hidden on a network is to hide in the shadows of poorly monitored laptops or servers. But a China-linked group called Velvet Ant took a much smarter route. They burrowed directly into the Linux login system itself, where no one ever thinks to look. For nearly ten years, this group hid inside the PAM and OpenSSH components that control who gets access to a machine. That's like living in the front door of a house, watching every visitor come and go, while the owners never check the lock itself. ### The Hack That No One Noticed Most security teams focus on the obvious spots. They scan for malware on desktops, watch for strange traffic on servers, and set up alarms for new user accounts. But Velvet Ant didn't need any of that. By backdooring the authentication software, they could log in anytime, as anyone, without triggering a single alert. The network they targeted had no idea what was happening. And that's the scariest part. You can clean every file, remove every suspicious process, and still be compromised because the intruder is living in the system's core identity check. ### Why This Matters for Antidetect Browser Users If you're using antidetect browsers for privacy or security, this story hits close to home. Antidetect browsers help you protect your digital fingerprints by masking your browser profile. But if the underlying operating system has been compromised at the login level, no browser can save you. Think about it this way: an antidetect browser is like a disguise at a party. It changes your face, your voice, your clothes. But if someone has already broken into the building and is watching the front door, they know you're coming in no matter what you're wearing. ### How to Protect Yourself So what can you do? Here are a few practical steps to keep your system safe from this kind of deep-level attack: - Keep your Linux distribution updated. Security patches for PAM and OpenSSH are released regularly. Don't skip them. - Monitor your authentication logs. If you see logins from unusual IPs or at odd hours, investigate immediately. - Use a dedicated antidetect browser on a clean, isolated system. Don't mix your secure browsing with your daily driver OS. - Run periodic integrity checks on critical system files. Tools like Tripwire can alert you to changes in PAM or OpenSSH binaries. - Consider using a hardware security key for two-factor authentication. It adds a physical layer that software backdoors can't easily bypass. ### The Takeaway This attack shows that the smartest hackers don't just break in through the front door. They become the front door. And for anyone concerned about digital privacy, it's a wake-up call. Your browser profile might be pristine, but if your operating system is compromised at the root, you're still exposed. Stay vigilant. Update your systems. And never assume that a clean desktop means a clean machine.