The recent identification of a decade-long cyber espionage campaign attributed to the Velvet Ant threat group illustrates a profound shift in the way advanced persistent threats navigate air-gapped networks. This breach, which remained active and undetected from 2026 through the current day, targeted a large enterprise with critical infrastructure components that were assumed to be isolated from external threats. By focusing on non-traditional entry points, specifically legacy Linux-based hardware and specialized network appliances, the attackers demonstrated that physical isolation is no longer a definitive barrier against determined state-sponsored actors. The operation was characterized by its extreme patience and technical precision, utilizing a series of sophisticated tools that were meticulously adapted to the target’s specific environment. This scenario highlights a growing trend where adversaries prioritize longevity and deep-seated persistence over immediate results.
Persistence Through Legacy Infrastructure
Exploitation: Targeted Vulnerabilities in Edge Devices
Attackers gained a foothold by targeting legacy F5 BIG-IP appliances, which are often overlooked during modern security refreshes due to their complexity and critical role in network traffic management. These devices provided a perfect environment for Velvet Ant because they run specialized Unix-based operating systems that are frequently incompatible with standard third-party security agents. By exploiting known but unpatched vulnerabilities in these older firmware versions, the threat actors were able to execute arbitrary code and establish a resilient base of operations. Once they secured control over these edge devices, they moved laterally into the internal network, specifically seeking out other Linux and Unix servers that lacked the rigorous auditing typical of Windows environments. This focus on older hardware allowed the intruders to maintain their presence even when other parts of the network underwent significant upgrades over the last few years.
Adaptation: Customization of PlugX for Linux Systems
To ensure long-term stability across diverse environments, Velvet Ant utilized a highly customized version of the PlugX remote access trojan, specifically re-engineered to function within Linux and Unix kernels. This particular iteration of the malware was stripped of its usual Windows-centric features and instead optimized for stealthy execution in server environments where command-line activity is common and often less scrutinized. The Linux variant of PlugX allowed the attackers to manipulate files, execute shell commands, and tunnel network traffic while mimicking legitimate system processes to avoid triggering basic behavioral alerts. By embedding the malware within the boot sequence of compromised servers, they ensured that their access would persist across system reboots, making the infection difficult to eradicate through maintenance. The technical investment required to port such a complex toolset suggests a well-funded operation with a clear directive.
Communication Strategies and Stealth
Relays: Maintaining Control Across Air Gaps
One of the most remarkable aspects of this campaign was the ability of the threat actors to maintain communication with systems located within strictly isolated, air-gapped segments of the corporate network. Rather than relying on direct internet connections, Velvet Ant established an internal relay network that leveraged compromised intermediate servers with limited connectivity. They utilized physical media transfers and sanctioned administrative channels to move malicious payloads and exfiltrate sensitive data across the air gap, essentially hitching a ride on legitimate maintenance procedures. This method required extensive observation of the target organization’s internal workflows and the schedules of authorized personnel who moved between secure zones. By mapping these physical and logical bridges, the attackers were able to bypass the most stringent network segmentation policies without alerting the security operations center or triggering any local alarms.
Remediation: Detection Protocols and Response Strategies
The ultimate discovery of the breach occurred only after specialized forensic analysis revealed anomalies in legacy system logs that had been collected but never properly scrutinized for long-term patterns. Organizations realized that traditional real-time monitoring was insufficient for detecting an adversary that moved with such deliberate slowness to avoid threshold-based alerts. To mitigate these risks, security leaders implemented zero-trust architectures that extended to legacy hardware, ensuring that even internal management appliances were subjected to continuous authentication and traffic analysis. Rigorous hardware lifecycle management was prioritized, with a focus on decommissioning any device that could not support modern security telemetry or endpoint protection tools. Furthermore, organizations established stricter protocols for physical data transfers to prevent the inadvertent bridging of air-gapped environments by authorized users.
