China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

China-nexus group Velvet Ant compromised Linux login systems (PAM and OpenSSH) to maintain hidden access for nearly a decade.

• •Attackers replaced trusted login programs with backdoored copies instead of deploying new malware, appearing as normal administration
• •Compromised PAM modules enabled unauthorized access via secret passwords and quietly recorded real usernames and passwords
• •OpenSSH programs were altered to log credentials and commands with a hidden switch to disable logging
• •Attackers reached isolated networks by using internet-facing systems as bridges to bypass direct internet restrictions
• •Mitigation requires integrity verification of PAM and OpenSSH against known-good copies rather than patching alone