Velvet Ant "Operation Highland" — decade-long Linux PAM/sshd auth-stack subversion (China-nexus)

campaign · campaign:velvet-ant-operation-highland-2026

Coverage timeline

first 2026-06-13 → last 2026-06-14

Briefs

2 distinct

Sources cited

4 hosts

Sections touched

deep_dive, weekly_summary

Co-occurring entities

see Related entities below

2026-06-132 appearances2026-06-14

Story timeline

2026-06-14CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026)
weekly_summaryConsolidated in § 7; decade-long Linux PAM/sshd subversion (Sygnia)
2026-06-13CTI Daily Brief — 2026-06-13
deep_diveDeep dive. ~10yr air-gapped persistence; 9 backdoored pam_unix.so variants (magic password + credential logging) + trojanised sshd/ssh; invisible to EDR. T1556.003/T1554/T1078/T1021.004/T1036.005. Detection = binary integrity (rpm -V/dpkg --verify/AIDE) not behaviour. PD-10 background: prior Cisco Nexus/F5 Velvet Ant reporting.

Where this entity is cited

deep_dive1
weekly_summary1

Source distribution

attack.mitre.org5 (50%)
sygnia.co2 (20%)
thehackernews.com2 (20%)
enki.co.kr1 (10%)

Related entities

Kimsuky (Ruby Sleet / APT43) PebbleDash toolkit evolution — Rust-based HelloDoor variant + TryCloudflare quick-tunnel C2 (Kaspersky GReAT analysis); South Korea primary, Germany spillover
campaignitem:kimsuky-pebbledash-hellodoor-trycloudflare-tunnel-c2-evolution×1
Kimsuky HTTPSpy + HelloDoor with VS Code/Cloudflare tunnel C2
campaignitem:kimsuky-httpspy-hellodoor-vs-code-remote-tunnel-cloudflare×1
Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2
campaigncampaign:operation-dragon-weave×1
Operation FlutterBridge (CL-CRI-1089) — notarized macOS FlutterShell backdoor via Google Ads malvertising
campaigncampaign:flutterbridge-cl-cri-1089×1
Operation Saffron: First VPN criminal anonymisation service dismantled; Switzerland JIT participant; Phobos RaaS link confirmed
incidentitem:operation-saffron-first-vpn-takedown-33-servers-27-countri×1
Operation XENOFISCAL — SideCopy/APT36 XenoRAT via mshta/HTA vs Afghan provincial treasuries
campaigncampaign:operation-xenofiscal-sidecopy×1
VerdantBamboo (UNC5221/WARP PANDA) — China-nexus; BRICKSTORM on edge devices, MSP supply-chain, M365 CA bypass, AGENTPSD/PLENET
actoractor:VerdantBamboo×1

All cited sources (10)

Items in briefs about Velvet Ant "Operation Highland" — decade-long Linux PAM/sshd auth-stack subversion (China-nexus) (2)

Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion

From CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026) · published 2026-06-14 · view item permalink →

key: campaign:velvet-ant-operation-highland-2026. Sygnia's "Operation Highland" report, relayed in detail by The Hacker News on 12 June and deep-dived in the 06-13 daily, documents a China-nexus intrusion set that held covert access to an air-gapped network for nearly a decade (earliest traces ~2016) by subverting the Linux authentication stack: nine distinct backdoored pam_unix.so variants and credential-logging sshd/ssh binaries that suppress their own logging during operator sessions (The Hacker News; Sygnia — Operation Highland). The horizon framing the dailies could not give: this is the same tradecraft class as VerdantBamboo's edge-appliance persistence — long-dwell, identity/auth-layer implants on systems outside EDR coverage. The two together describe a sustained China-nexus investment in living below the endpoint-detection line. Defender watch-item: integrity-monitor PAM modules and sshd/ssh binaries against package checksums (rpm -V / dpkg --verify, AIDE/Tripwire), and treat air-gap as a latency control, not an isolation guarantee.

Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2

From CTI Daily Brief — 2026-05-30 · published 2026-05-30 · view item permalink →

ENKI WhiteHat and The Hacker News documented Kimsuky campaigns in March and April 2026 targeting South Korean military personnel and corporate entities with two malware chains (The Hacker News, 2026-05-29; ENKI WhiteHat, 2026-05-27). March chain: masquerade installers for nProtect Online Security and AhnLab Safe Transaction launch MemLoader.dll via regsvcs.exe, which downloads HTTPSpy. April chain: fake Webex meeting page delivers encrypted JavaScript (.jse extension) which stages a PowerShell downloader, ultimately installing HTTPSpy. HTTPSpy is a full-capability RAT (first observed 2022; previously used against a German defence manufacturer May–September 2024): RC4-encrypted C2, shell execution, file upload/download, screenshot capture, process injection, self-deletion. HelloDoor is a Rust-based PebbleDash variant (assessed LLM-assisted per ENKI): configurable sleep, command execution, directory traversal. C2 evasion: Kimsuky now abuses Visual Studio Code Remote Tunneling (authenticated via GitHub OAuth, registered via code --tunnel --name <name>) and Cloudflare Quick Tunnels (cloudflared.exe) — neither can be blocked by IP or domain without blocking Microsoft and Cloudflare respectively. JSONPing confirms active infections via a locally-running HTTP server, reducing exposure of attacker infrastructure. MITRE ATT&CK: T1036 (Masquerading), T1059.001 (PowerShell), T1059.007 (JavaScript), T1071 (Application Layer Protocol). Detection: hunt for regsvcs.exe as a parent of DLL loads in non-.NET-Framework contexts; alert on VS Code CLI processes with --tunnel argument from non-developer endpoints; audit GitHub OAuth app grants for unrecognised VS Code tunnel registrations; monitor cloudflared.exe on managed endpoints without prior baseline.