Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Velvet Ant Linux login-layer persistence campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A Velvet Ant campaign was uncovered that quietly maintained access by backdooring Linux PAM and OpenSSH components, putting credential capture and command logging inside the login path. The operation used internet-facing systems as a bridge into an isolated network and left traces dating to 2016. Because the compromised software controlled authentication itself, ordinary cleanup and password resets would not reliably remove the foothold or stop reuse of stolen credentials.

Related Happenings

Velvet Ant Linux PAM and OpenSSH backdoor analysis

Technical Analysis
H score32 First: 12.06.2026 21:17 Last: 12.06.2026 21:17 Sources 1

How related: Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in

About this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...

Open Happening

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Open Happening

PamDOORa Linux backdoor with persistent SSH access and credential theft

Malware Activity
H score28 First: 08.05.2026 11:41 Last: 08.05.2026 11:41 Sources 1

About this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...

Open Happening

Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling

Threat Actor Meta
H score21 First: 08.05.2026 11:41 Last: 08.05.2026 11:41 Sources 1

About this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...

Open Happening

Timeline

  1. 12.06.2026 21:17 2 articles · 3h ago

    Velvet Ant backdoors Linux PAM and OpenSSH login components

    Initial Disclosure

    Sygnia says Velvet Ant backdoored the PAM and OpenSSH login path on an isolated Linux network, replacing trusted authentication components to capture credentials and log commands while staging through internet-facing systems to reach internal hosts. The activity left traces dating to 2016 and showed persistence inside the authentication layer rather than through separate malware.

    Show sources
    Open in new tab