Researchers have uncovered a long-running cyber-espionage campaign, dubbed ‘Operation Highland,’ linked to the Chinese threat group tracked as Velvet Ant. According to incident response firm Sygnia, the attackers maintained access to a large organization's network for nearly 10 years, including an isolated critical infrastructure environment.
The intrusion began in 2016 with the compromise of vulnerable internet-facing systems. After gaining an initial foothold, the attackers deployed a modified GS-Netcat reverse shell disguised as a legitimate system component. The malware provided encrypted remote access and achieved persistence through malicious systemd services or startup script modifications.
Velvet Ant then installed a custom SOCKS5 proxy, allowing compromised servers to act as internal pivot points and enabling movement across the network. The proxy masqueraded as the Linux process smbd -D and used different filenames and ports on each host to avoid detection.
One of the campaign's most notable techniques involved bridging access into an isolated network with no direct internet connection. The attackers modified Nginx configurations on compromised servers to forward specially crafted requests through a chain of backend services. A FastCGI process ultimately launched a custom tool called ‘uptime,’ which established SSH connections into the isolated environment based on parameters received through HTTP requests.
Once inside, Velvet Ant replaced legitimate Linux PAM (Pluggable Authentication Modules) components with backdoored versions of pam_unix.so that could both steal credentials and accept hardcoded passwords. Sygnia found nine separate variants of the malicious PAM modules.
The attackers also trojanized OpenSSH components, including ssh, sshd, and scp. The modified binaries captured usernames and passwords, logged commands executed during SSH sessions, and stored collected data for later retrieval.
By compromising both PAM and OpenSSH, Velvet Ant gained full visibility into authentication activity and administrative actions across the environment. Researchers noted that remediation was particularly challenging because the attackers had replaced numerous critical system components. Removing the malicious files risked breaking authentication services, locking administrators out of systems, and causing operational disruptions.