Velvet Ant

Velvet Ant is a China-linked / China-nexus cyber espionage threat group tracked by Sygnia. Sygnia attributed a long-running intrusion campaign dubbed Operation Highland to Velvet Ant, reporting that the actor remained inside one organization’s network for nearly a decade, with earliest observed activity dating to 2016 or 2017. The group moved from internet-facing systems through the IT network into a segregated critical infrastructure or air-gapped segment with no direct internet connectivity. The reporting describes Velvet Ant as focused on stealthy, long-term persistence and abuse of trusted infrastructure. In Operation Highland, the actor backdoored core Linux authentication components, including PAM modules and OpenSSH binaries, and also appended attacker-controlled keys to authorized_keys files. The modified PAM components enabled authentication bypass via a hardcoded secret password and credential harvesting from legitimate logins; Sygnia identified nine distinct pam_unix.so variants. The trojanized OpenSSH components captured credentials, logged commands typed during SSH sessions, and stored encrypted data on disk, with flags to suppress logging or disguise process names. Sygnia stated that this persistence survived password resets and session termination and made remediation difficult because replacing compromised authentication components incorrectly could lock administrators out of hosts. Velvet Ant also used modified GS-Netcat reverse shells on exposed Linux servers, renaming binaries to blend in and masquerading processes as kernel threads such as [khubd] or [kauditd]. The group used systemd unit files and SysVinit scripts for persistence, a Perl SOCKS5 proxy for tunneling and lateral movement, modified Nginx configurations, and a custom binary that established SSH connections into protected networks when triggered via HTTP requests. Reporting also notes use of reverse SSH tunnels / shells as encrypted command-and-control channels. Additional activity attributed to Velvet Ant includes abuse of F5 BIG-IP appliances for persistence, including a modified /etc/rc.local file, and use of custom tools VELVETSTING and VELVETTAP on compromised F5 devices. Sygnia also linked the actor to exploitation of Cisco NX-OS CVE-2024-20399 to plant the VELVETSHELL backdoor on Cisco Nexus switches and gain arbitrary command execution after authentication. On Windows systems, the content attributes to Velvet Ant use of DLL search order hijacking, a malicious DLL named iviewers.dll masquerading as the legitimate OLE/COM Object Viewer component, PlugX deployment, process injection into multiple svchost.exe processes, WMI-based remote execution via wmiexec.py, SMB and administrative shares for tool transfer, and firewall modification with netsh.exe to open random high-numbered listener ports. The group also attempted to disable local security tools and EDR software. The content further associates Velvet Ant with masquerading techniques, including process name masquerading on Linux, and with use of encrypted communications and reverse SSH for command and control. No additional aliases or sub-groups are provided in the source content beyond Velvet Ant itself.