A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers’ systems with a mix of rootkit, backdoor, and credential-stealing capabilities.
The malware kit is deployed in development and DevOps environments in npm, PyPI, GitHub, AWS, Docker, and Kubernetes. This could enable supply-chain attacks where the threat actor publishes malicious packages on code distribution platforms.
Researchers at cybersecurity company Trend Micro analyzed the QLNX implant and found that “it dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc [GNU Compiler Collection].”
A report from the company this week notes that QLNX was designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables.
The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed.
Source: Trend Micro
QLNX features multiple functional blocks dedicated to specific activities, making it a complete attack tool. Its core components can be summarized as follows:
- RAT core — Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels.
- Rootkit — Dual-layer stealth mechanism combining a userland LD_PRELOAD rootkit and a kernel-level eBPF component. The userland layer hooks libc functions to hide files, processes, and malware artifacts, while the eBPF layer conceals PIDs, file paths, and network ports at the kernel level. Both are deployed dynamically, with the userland rootkit compiled on the target system.
- Credential access layer — Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data.
- Surveillance module — Keylogging, screenshot capture, and clipboard monitoring.
- Networking and lateral movement — TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking.
- Execution and injection engine — Process injection (ptrace, /proc/pid/mem) and in-memory execution of payloads (shared objects, BOF/COFF).
- Filesystem monitoring — Real-time tracking of file activity via inotify.
Source: Trend Micro
After initial access, QLNX establishes a fileless foothold, deploys persistence and stealth mechanisms, and then harvests developer and cloud credentials.
By targeting developer workstations, attackers can bypass enterprise security controls and access the credentials that underpin software delivery pipelines.
Source: Trend Micro
This approach mirrors recent supply chain incidents in which stolen developer credentials were used to publish trojanized packages to public repositories.
Trend Micro has not provided details about specific attacks or any attribution for QLNX, so the deployment volume and specific activity levels of this new malware are unclear.
At the time of publication, the Quasar Linux implant is detected by only four security solutions, which flag its binary as malicious. Trend Micro has provided indicators of compromise (IoCs) to help defenders detect QLNX infections and protect against them.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.