“Pygmy Goat” malware is a highly sophisticated backdoor payload designed to provide unauthorized access to Linux-based network devices, with a particular focus on Sophos XG firewall appliances. Discovered as part of an ongoing series of cyber-espionage operations linked to Chinese state-sponsored threat actors, the malware is emblematic of the broader Pacific Rim campaign—a targeted assault on critical infrastructure and high-value entities. First identified by the UK’s National Cyber Security Centre (NCSC), these attacks exploit known vulnerabilities, such as CVE-2022-1040, in edge devices and network appliances, particularly those used by government agencies, critical infrastructure sectors, and private enterprises. Once deployed, “Pygmy Goat” grants attackers persistent, covert access to compromised systems, enabling the exfiltration of sensitive data and remote control of infected devices. The malware employs advanced evasion techniques, including the use of encrypted ICMP packets for stealthy communication and disguising malicious activity as legitimate SSH traffic, thereby circumventing traditional detection mechanisms.