Linux Hackers Hid in Login System for Nearly a Decade

Michael Miller · 2026-06-12

You'd think the best way to stay hidden on a network is to avoid the parts everyone watches. But a group linked to China took a different approach: they hid right inside the login system itself. For close to ten years, the group known as Velvet Ant burrowed into the Linux Pluggable Authentication Modules (PAM) and OpenSSH components. These are the gatekeepers that decide who gets in. By backdooring them, the attackers planted access that standard cleanup tools couldn't reach. Security firm Sygnia uncovered the operation. The group targeted a network that had no obvious weak spots in the usual places. Instead of hiding on laptops or servers that defenders monitor closely, they chose the very software that handles logins. It's a clever, if unsettling, strategy. ### How the Attack Worked The attackers modified PAM and OpenSSH source code. These are core parts of Linux that handle authentication. Think of them as the locks on your front door. The hackers didn't pick the lock; they replaced the lock itself with one they controlled. - **PAM Backdoor**: PAM manages how users authenticate. The backdoor let the attackers bypass normal password checks. - **OpenSSH Backdoor**: OpenSSH handles secure remote logins. The modification allowed them to log in with a secret password. Once inside, they could move freely. The system treated them as legitimate users. Standard security scans wouldn't flag them because the login process looked normal. ### Why This Matters This attack is a reminder that even trusted software can be compromised. It's not about finding a vulnerability; it's about changing the rules of the game. The hackers didn't exploit a bug; they rewrote the code. For professionals using antidetect browsers, this is a wake-up call. Your tools are only as safe as the systems they run on. If the login software is compromised, no browser can protect you. This is why keeping your operating system and critical software up to date is essential. ### What You Can Do Here are some practical steps to stay safe: - **Monitor critical files**: Use file integrity monitoring tools to catch unauthorized changes to PAM and OpenSSH. - **Audit logs regularly**: Look for unusual login patterns or unexpected access. - **Use multi-factor authentication**: Even if someone has a backdoor, MFA adds an extra layer. - **Keep systems patched**: Updates often fix the holes attackers use. - **Consider hardware security modules**: They can protect authentication keys. ### The Bigger Picture This attack shows that advanced threat actors think differently. They don't just look for weak spots; they create them. By targeting the very systems that control access, they can stay hidden for years. For antidetect browser users, this means understanding that your digital footprint is only as secure as your underlying infrastructure. If you're running on a compromised system, your browser's protections don't matter. The takeaway is simple: security is layered. Don't rely on one tool. Protect your operating system, your network, and your software. And always question what's running beneath the surface. Stay vigilant. The hackers are always finding new ways in.