Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers documented a long-running Velvet Ant compromise of Linux PAM and OpenSSH login components, exposing credential theft and covert persistence across isolated systems. The attacker modified trusted sign-in software to accept secret passwords, record real credentials, and capture commands typed during sessions. The technique matters because it turns the authentication layer itself into a stealthy credential harvester and frustrates normal cleanup.
Related Happenings
Velvet Ant Linux login-layer persistence campaign
Campaign
H score36
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
How related:
The earliest traces go back to 2016.
About this happening:
A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux login-layer persistence campaign
CampaignHow related: The earliest traces go back to 2016.
About this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
H score28
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware ActivityAbout this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
H score21
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaAbout this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Timeline
-
12.06.2026 21:17 2 articles · 3h ago
Velvet Ant backdoors Linux PAM and OpenSSH login components
Technical Analysis UpdateSygnia says Velvet Ant hid inside Linux login infrastructure by backdooring PAM and OpenSSH on targeted systems, using modified PAM modules to accept a secret password or capture real usernames and passwords and altered OpenSSH binaries to log credentials and every command typed. The compromise reached an isolated network through internet-facing systems, and Sygnia says the earliest traces go back to 2016.
Show sources
- China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade — thehackernews.com — 12.06.2026 21:17
- China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade — thehackernews.com — 12.06.2026 21:17