A China-linked espionage group quietly lived inside an organization's most sensitive network for close to ten years before anyone noticed, according to a forensic investigation published by incident-response firm Sygnia. The intrusion, which Sygnia calls Operation Highland, is striking for two reasons: the targeted network had no direct connection to the internet, and the attacker stayed hidden by quietly rewriting the very software that handles logins.
Sygnia attributes the activity to Velvet Ant, a China-nexus actor the firm has tracked across several earlier intrusions. The earliest forensic traces in this environment date back to 2016, meaning the group maintained access for nearly a decade without being caught.
How they reached an isolated network
Because the critical network was segregated from the internet, Velvet Ant could not attack it directly. Instead, Sygnia describes a deliberate, multi-stage path: the attackers first established a foothold on internet-facing servers, then moved laterally through the corporate IT network until they reached the protected segment.
On the first hop, the group deployed a modified version of GS-Netcat, a publicly available tunneling tool, as a stealthy encrypted reverse shell. The binary was renamed auditdb and dropped into /usr/sbin/ to blend in with normal system utilities, beaconing out to a hardcoded subdomain of thc[.]org. From there they used SOCKS5 proxies to tunnel deeper into the network and abused Nginx and FastCGI as an execution path.
Turning the login system into a backdoor
The most notable part of the campaign was what the attackers did once inside. Rather than rely on a single implant that defenders could find and remove, Velvet Ant subverted the authentication stack itself. They replaced pam_unix.so (the Linux module that checks passwords) and several OpenSSH binaries with backdoored versions across multiple hosts.
That gave them two powerful capabilities: a hidden bypass to log in as any user, and a built-in keylogger that captured legitimate credentials as administrators typed them. Sygnia identified nine distinct variants of the malicious pam_unix.so module, each compiled in a separate build environment, which the firm assesses points to a well-resourced and deliberate operation. The tampered SSH binaries even carried a custom flag to switch off their own credential logging, letting the operators manage their forensic footprint during live activity.
This is the same playbook Sygnia has documented from Velvet Ant before. In earlier research the firm tied the group to the abuse of F5 BIG-IP appliances for long-term persistence and to exploitation of CVE-2024-20399, a zero-day in Cisco NX-OS, to plant a backdoor on Nexus switches. The consistent pattern: when detected, Velvet Ant pivots to less-monitored infrastructure and rebuilds.
Why it was so hard to evict
Because the attacker controlled the components that handle remote access and system administration, cleanup was unusually risky. The backdoors survived password changes and session terminations, blunting the usual containment steps. Sygnia stresses that only proactive threat hunting, rather than waiting for an alert, surfaced the activity in the first place.
What defenders should do
Sygnia's report recommends treating the authentication stack as a high-value target in its own right: monitor for unexpected changes to PAM modules and OpenSSH binaries, validate the integrity of login-related files against known-good baselines, watch for unusual outbound tunnels from internet-facing servers, and hunt for unauthorized authorized_keys entries. Organizations running segmented critical networks should not assume that isolation alone keeps an attacker out. Defanged indicator: the command-and-control channel followed the pattern %.gs.thc[.]org. Full indicators are available in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.