Velvet Ant, a Chinese state-sponsored APT, maintained undetected access inside a large organization’s air-gapped critical infrastructure network for approximately ten years by hijacking Linux PAM (pam_unix.so) and OpenSSH binaries (ssh, sshd, scp) to harvest credentials and sustain covert remote access. No discrete CVE is assigned to this campaign; the intrusion exploited configuration weaknesses and binary tampering rather than a patched vulnerability. Organizations running Linux-based critical infrastructure with Nginx/fcgiwrap deployments, F5 BIG-IP, or Cisco NX-OS edge appliances face elevated risk from this tradecraft.