Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion

key: campaign:velvet-ant-operation-highland-2026. Sygnia's "Operation Highland" report, relayed in detail by The Hacker News on 12 June and deep-dived in the 06-13 daily, documents a China-nexus intrusion set that held covert access to an air-gapped network for nearly a decade (earliest traces ~2016) by subverting the Linux authentication stack: nine distinct backdoored pam_unix.so variants and credential-logging sshd/ssh binaries that suppress their own logging during operator sessions (The Hacker News; Sygnia — Operation Highland). The horizon framing the dailies could not give: this is the same tradecraft class as VerdantBamboo's edge-appliance persistence — long-dwell, identity/auth-layer implants on systems outside EDR coverage. The two together describe a sustained China-nexus investment in living below the endpoint-detection line. Defender watch-item: integrity-monitor PAM modules and sshd/ssh binaries against package checksums (rpm -V / dpkg --verify, AIDE/Tripwire), and treat air-gap as a latency control, not an isolation guarantee.