Organization hit by network compromise linked to Velvet Ant
Incident
Summary
Hide ▲
Show ▼
A target organization suffered a 10-year authentication stack compromise that exposed administrative activity inside an isolated critical infrastructure network. The intrusion was linked to Velvet Ant and Operation Highland, and it began in 2016 after access through internet-facing systems. Attackers then preserved access by modifying PAM and OpenSSH components to steal credentials and observe every login and command.
Related Happenings
Velvet Ant Linux login-layer persistence campaign
Campaign
H score41
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
How related:
Velvet Ant actors also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval.
About this happening:
A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux login-layer persistence campaign
CampaignHow related: Velvet Ant actors also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval.
About this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical Analysis
H score32
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
Velvet Ant Linux PAM and OpenSSH backdoor analysis
Technical AnalysisAbout this happening: Researchers documented a long-running **Velvet Ant** compromise of **Linux PAM** and **OpenSSH** login components, exposing credential theft and covert persistence across **isolat...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
H score21
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaAbout this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score42
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
2025 Rise in legitimate-access intrusions across enterprise sectors
Trend
H score24
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Timeline
-
13.06.2026 17:06 2 articles · 4h ago
Organization hit by network compromise linked to Velvet Ant
Initial DisclosureThe intrusion started in **2016** with access to **internet-facing systems**, then shifted into the isolated network through a pivot path that bypassed direct internet connectivity. Persistence was later hardened by replacing authentication components to intercept credentials and session activity.
Show sources
- Chinese hackers hijack auth flow, spy on isolated network for a decade — www.bleepingcomputer.com — 13.06.2026 17:06
- Chinese hackers hijack auth flow, spy on isolated network for a decade — www.bleepingcomputer.com — 13.06.2026 17:06