Velvet Ant Embedded Modified PAM and OpenSSH Binaries on Air-Gapped Networks Since 2016

The operation centered on direct binary substitution rather than new implants. Attackers compiled backdoored PAM versions that accepted a hardcoded master password or silently logged successful authentications, then mirrored the tactic on sshd to capture keystrokes and session data. Because the components sat inside the authentication path itself, standard containment steps such as password rotation or session termination were ineffective. Staging occurred through an internet-exposed web server that relayed commands into the air-gapped zone. Evidence includes nine separate PAM builds recovered across multiple hosts, consistent modification timestamps aligned with administrative activity, and matching OpenSSH alterations that included a runtime toggle to disable logging. The same actor previously repurposed F5 BIG-IP devices in 2024 and exploited CVE-2024-20399 on Cisco Nexus switches for persistence, demonstrating a deliberate shift toward firmware and trusted-system layers that receive minimal integrity verification. This pattern reveals supply-chain risk inside open-source login components that standard EDR and vulnerability scanners overlook because no external exploit is required after initial access. Unlike the XZ Utils incident, which triggered rapid community response, Operation Highland received limited coverage despite affecting the authentication root of trust on production systems. Defenders must now baseline and continuously diff PAM and OpenSSH binaries against known-good builds rather than relying on signature detection or network indicators. Failure to do so leaves any subsequent credential change immediately visible to the implant.