Velvet Ant is the name given by Israeli cybersecurity firm Sygnia to a threat actor it publicly disclosed in June 2024 after investigating a multi-year intrusion at a large East Asian organization. Sygnia attributed the activity, with what it described as high confidence, to a China-nexus espionage group focused on long-term access and data theft rather than disruption or financial gain.
The group is notable for its persistence tradecraft. In the case Sygnia disclosed, Velvet Ant maintained footholds inside the victim's environment for roughly three years, repeatedly re-establishing access after remediation attempts. Reported techniques included:
- Deploying PlugX (also known as Korplug), a remote access trojan historically associated with Chinese APT activity, on internal file servers used as command-and-control relays.
- Abusing legacy and end-of-life systems, including unmonitored Windows servers, to host malware where endpoint detection tooling was absent.
- Pivoting to network appliances such as F5 BIG-IP load balancers, which Sygnia reported were exploited as an internal staging point and used to tunnel traffic out of the network.
- Operating across both internet-facing and internal infrastructure to survive cleanup cycles.
In a follow-up report later in 2024, Sygnia described Velvet Ant exploiting a zero-day in Cisco NX-OS (tracked as CVE-2024-20399) to run arbitrary commands on Nexus switches, underscoring the group's interest in network-layer footholds that evade traditional host-based defenses.
Velvet Ant illustrates a broader pattern researchers attribute to Chinese state-aligned operators: prioritizing edge devices, appliances, and forgotten infrastructure over endpoints, since those assets typically lack EDR coverage and have limited logging. For policy researchers, the case is frequently cited in debates over software bills of materials, appliance security baselines, and disclosure obligations for managed network equipment.
Example
In June 2024, Sygnia disclosed that Velvet Ant had maintained roughly three years of persistent access to a large East Asian organization, using PlugX malware on internal file servers and pivoting through F5 BIG-IP appliances.
Frequently asked questions
Israeli incident response firm Sygnia, which published its findings in June 2024 after investigating a multi-year intrusion.
Keep learning