Velvet Ant Targets Air-Gapped Networks: 2016–2024

Velvet Ant Cyberespionage Campaign Hits Isolated Networks

Operation Highland, a sophisticated, decade-long cyberespionage campaign orchestrated by the Chinese state-sponsored threat group Velvet Ant, was recently revealed. Discovered by Sygnia researchers, the group maintained deep persistence within an isolated critical infrastructure network of a large, unnamed organization since 2016. This highly stealthy intrusion involved the complete subversion of the target's authentication stack, providing Velvet Ant with continuous, unchallenged visibility into administrative activities and control over the compromised environment.

The attackers' tactics included using vulnerable internet-facing systems to establish initial access before meticulously bridging to an air-gapped network, demonstrating advanced operational capability. Once inside, Velvet Ant deployed custom malware, backdoored core Linux authentication components such as Pluggable Authentication Modules (PAM) and OpenSSH, and hijacked existing network infrastructure to ensure covert remote execution and persistent credential theft. The campaign shows the difficulty in detecting and eradicating state-sponsored actors who prioritize long-term strategic access over immediate disruption. It also shows a commitment to deep infiltration and prolonged intelligence gathering within high-value targets.

This roundup also covers a critical pre-authentication remote code execution vulnerability in Splunk Enterprise, the U.S. government's unprecedented move to impose export controls on Anthropic's advanced AI models Fable 5 and Mythos 5 due to national security concerns, the guilty plea of a Ukrainian national for his role in the notorious Conti ransomware operations, and a cyberattack that disrupted financial services at Brazil's MagaluPay. These incidents illustrate the range of current cyber threats, from sophisticated state-level espionage to critical software vulnerabilities and direct financial disruption.

How Did Velvet Ant Maintain Decades-Long Persistence in Isolated Networks?

The Velvet Ant threat group achieved its decade-long persistence by compromising internet-facing servers and subsequently establishing a covert execution path into an otherwise isolated critical infrastructure network. Their methodology involved a multi-stage attack chain designed for stealth and resilience. This included deploying custom tools and tampering with fundamental system components, and embedded their access into the core authentication processes of the target environment.

The initial phase of Operation Highland involved gaining a foothold on internet-facing systems, though specific vulnerabilities for this entry point were not publicly disclosed. Upon compromise, Velvet Ant deployed a modified GS-Netcat reverse shell, camouflaged as a legitimate system component, to establish encrypted remote shell access to a hardcoded relay domain. Persistence on these initial hosts was secured either through malicious systemd services or by altering startup scripts. The group then installed a custom SOCKS5 proxy, masquerading as 'smbd -D' and utilizing varying filenames and ports, to tunnel network traffic and pivot deeper into the internal network, transforming compromised servers into internal stepping stones.

The critical step in breaching the isolated network involved a sophisticated modification of existing infrastructure. Velvet Ant altered the configuration of a compromised internet-facing Nginx server to proxy specially crafted requests to a compromised backend server. This backend server's Nginx configuration was also modified to forward requests to a FastCGI process (fcgiwrap) listening on a separate port. This FastCGI wrapper acted as an execution bridge, processing requests and launching a custom binary named 'uptime,' which established SSH connections into the segregated critical infrastructure network using parameters supplied in HTTP POST requests. This chain of modifications allowed for remote execution into the isolated environment without any direct internet connection. For more context on similar sophisticated operations, China-aligned cyber espionage discusses the deep capabilities of such groups.

Once access was established within the isolated environment, Velvet Ant focused on long-term persistence and credential harvesting by targeting Linux Pluggable Authentication Modules (PAM). They replaced legitimate 'pam_unix.so' modules with backdoored versions that accepted hardcoded passwords and captured user credentials. Sygnia identified nine distinct variants of these malicious PAM modules, each compiled in a separate build environment, which indicates significant resources and planning by the threat actor. Two variants were notable for their dual function as both backdoors and credential collectors.

To further embed their control, Velvet Ant also replaced OpenSSH components (ssh, sshd, scp) with trojanized versions. These modified components captured credentials, logged commands executed during SSH sessions, and stored the collected data locally for later retrieval. By gaining control over the authentication process through PAM and OpenSSH modifications, the threat actor accessed credentials as they were used and could bypass the standard authentication flow. This deep level of compromise ensured persistence regardless of password changes or session terminations, significantly reducing the efficacy of conventional containment measures. Analyses like this one covering Chinese hackers gaining access provide further details on how such threat actors secure initial access.

The remediation process for Operation Highland was exceptionally complex. The extensive replacement of critical system components with custom, malicious versions meant that their removal carried a high risk of breaking authentication, locking out legitimate administrators, and causing operational outages. Sygnia addressed this by developing a testing lab to validate binary replacement procedures, profiling each compromised host, exhaustively testing results, and preparing complete rollback plans before executing the cleanup. This meticulous approach was necessary to safely eradicate Velvet Ant from the deeply embedded network.

What is the Impact of the Critical Splunk Enterprise CVE-2026-20253 Vulnerability?

A critical security flaw, CVE-2026-20253, in Splunk Enterprise versions below 10.2.4 and 10.0.7, allows an unauthenticated attacker to perform arbitrary file operations and potentially achieve pre-authenticated Remote Code Execution (RCE), earning a CVSS score of 9.8. This vulnerability stems from the lack of authentication controls in a PostgreSQL sidecar service endpoint, enabling any network-reachable user to invoke file operations without requiring credentials.

The exploit chain, detailed by watchTowr Labs, uses the "/v1/postgres/recovery/backup" and "/v1/postgres/recovery/restore" endpoints. An attacker can connect to a controlled database and use the backup endpoint to dump its contents into an arbitrary file on the Splunk Enterprise system. Subsequently, the restore endpoint is used to load this malicious database dump into the local PostgreSQL instance by including a "passfile" argument pointing to a .pgpass file (/opt/splunk/var/packages/data/postgres/.pgpass) containing the postgres_admin user's password.

During the restoration process, SQL queries defined in the attacker-controlled database dump are executed by Splunk's PostgreSQL instance. This allows an attacker to define a new SQL function that utilizes lo_export - a function designed to extract a Binary Large Object (BLOB) from the database and save it as a file on the file system. This capability provides a controlled arbitrary file write primitive on the Splunk file system. The ultimate escalation to RCE is achieved by overwriting a frequently executed Python script within Splunk (e.g., /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py) with a malicious payload, which then executes when the script runs.

The vulnerability affects:

• Splunk Enterprise versions 10.0.0 to 10.0.6, fixed in version 10.0.7.
• Splunk Enterprise versions 10.2.0 to 10.2.3, fixed in version 10.2.4.

Splunk Enterprise 10.4 is not affected, and Splunk Cloud is also not impacted because it does not utilize Postgres sidecars. While there is no public evidence of in-the-wild exploitation, the availability of technical exploit details increases the risk, requiring immediate patching for all vulnerable deployments.

Why Did the U.S. Government Order Anthropic to Disable Fable 5 and Mythos 5 AI Models?

The U.S. government, specifically the Commerce Department, ordered Anthropic to immediately suspend foreign access to its two most advanced artificial intelligence models, Fable 5 and Mythos 5, citing national security concerns. This directive, issued through an export control decree by Secretary of Commerce Howard Lutnick, prohibited use by foreign nationals both within and outside the United States. In response, Anthropic disabled global access to both models to ensure compliance, though access to its other AI models remains unaffected.

The government's concern reportedly stemmed from a technique for "jailbreaking" Fable 5, a term for methods that bypass a model's built-in safety guardrails. According to Anthropic, the government provided only verbal evidence of what it characterized as a "narrow, non-universal jailbreak." This technique purportedly involved prompting the model to analyze a specific codebase and identify software flaws. This incident shows government scrutiny over powerful AI models and their potential dual-use capabilities, echoing broader concerns about state-backed espionage and shadow campaigns using advanced technology.

Anthropic, which had only released Fable 5 and Mythos 5 earlier in the week, disputed the severity of the government's finding. The company asserted that the capabilities demonstrated by the alleged jailbreak were already available in other publicly accessible models, including OpenAI's GPT-5.5, and are routinely used by cybersecurity professionals for defensive purposes. Anthropic maintained that perfect jailbreak resistance is unachievable for any model provider and that Fable 5 was designed with a "defense in depth" strategy. The company argued that applying such a stringent standard to commercial model deployments based on a narrow, non-universal jailbreak would effectively halt all new model deployments across the frontier AI industry.

The impact on initiatives like Project Glasswing, which allowed selected cybersecurity companies and the National Security Agency to use Mythos 5 for identifying and addressing security flaws and offensive cyber operations, remains uncertain. This government action is part of a growing trend where advanced AI capabilities are increasingly viewed through a national security lens, leading to new forms of regulation and oversight over their development and deployment. The move has drawn criticism from researchers and industry analysts, who questioned the scope and implications of the export controls.

What is the Significance of Oleksii Lytvynenko's Guilty Plea in Conti Ransomware Operations?

Ukrainian national Oleksii Lytvynenko, 44, has pleaded guilty in the United States to conspiracy to commit wire fraud for his involvement with the Conti ransomware operation. Conti, one of the most prolific and damaging cybercrime groups between 2020 and 2022, impacted over 1,000 victims across 47 U.S. states, the District of Columbia, Puerto Rico, and 31 foreign countries, generating at least $150 million in ransom payments. Lytvynenko's plea follows his extradition from Ireland in October 2025.

The Conti group operated a typical ransomware-as-a-service model, compromising victim networks, encrypting files, exfiltrating sensitive data, and then demanding ransoms under threat of public disclosure. Prosecutors stated that the group caused millions of dollars in damages to businesses and organizations of various sizes globally. Lytvynenko admitted joining the Conti conspiracy in September 2021 and acknowledged possessing data stolen from eight U.S. victims and four international victims.

Court documents detail Lytvynenko's role in coding a "loader," a type of malware commonly used to install or execute additional malicious tools required for further attack stages. This specific contribution shows the collaborative and specialized nature of modern ransomware operations. Lytvynenko is scheduled for sentencing on September 10, 2026, and faces a maximum penalty of 20 years in prison.

This conviction is a result of Operation Riptide, an ongoing FBI initiative targeting cybercrime actors, their infrastructure, and financial networks involved in online fraud and ransomware. The case reflects the U.S. government's intensified efforts to identify, extradite, and prosecute individuals associated with ransomware gangs, following a reported 26 percent increase in cybercrime losses, exceeding $20 billion, in the past year. Other recent guilty pleas, such as those related to the ALPHV (BlackCat) and Nefilim ransomware gangs, show a sustained focus on bringing cybercriminals to justice.

What Was the Impact of the MagaluPay Cyberattack on Customers?

MagaluPay, the financial services platform operated by Brazilian retail giant Magazine Luiza, experienced a "cybernetic event" that left many customers unable to access or move their financial resources for several days. The incident began on Saturday, June 6, 2026, and led to a wave of 29 customer complaints on platforms like Reclame Aqui by June 11, which indicated user frustration and financial disruption.

The company confirmed the cyber incident but did not disclose its specific nature, the extent of financial damages, or a clear timeline for service normalization. While MagaluPay assured that customers' personal data had not been compromised, it temporarily suspended critical services, including payments via Pix, as a security measure. These services were only gradually restored, forcing many users to contend with delays in conducting essential transactions like paying rent and other bills. Some customers expressed their intent to permanently withdraw their funds once access was restored, showing a loss of trust.

MagaluPay operates as a payment institution regulated by the Central Bank of Brazil, offering a digital account that facilitates payments, transfers, and bill payments, alongside cashback incentives. This platform is integral to Magazine Luiza's broader diversification strategy into financial technology through recent acquisitions. The incident at MagaluPay shows a broader trend of escalating cyberattacks and fraud within the Brazilian financial system. Between January and May 2026, the Central Bank recorded 33 security incidents, 25 of which were fraud-related, marking the highest number for this period on record. This heightened activity places increasing pressure on financial institutions to strengthen their security protocols and improve customer support, particularly during critical service disruptions.

Technical Takeaways

• Velvet Ant's Operation Highland demonstrates that state-sponsored actors are capable of maintaining decade-long persistence within isolated critical infrastructure by subverting core authentication mechanisms like PAM and OpenSSH.
• The Splunk Enterprise CVE-2026-20253 vulnerability shows the critical importance of strong authentication controls on all service endpoints, as even unauthenticated file operations can be chained to achieve pre-authenticated Remote Code Execution.
• Government intervention in the deployment of advanced AI models like Anthropic's Fable 5 and Mythos 5 shows a new regulatory area where AI capabilities are being assessed for national security implications, particularly concerning potential "jailbreaks."
• The Conti ransomware operator's guilty plea reinforces international law enforcement's sustained efforts to dismantle cybercrime groups and prosecute their members, even for activities occurring years prior.
• The MagaluPay incident shows the direct and immediate impact cyberattacks can have on essential financial services. It leads to widespread customer disruption and emphasizes the critical need for strong incident response and communication strategies in financial technology platforms.