TL;DR
Researchers have identified a previously undocumented Linux malware called Quasar Linux RAT (QLNX) targeting developers. It stealthily harvests critical credentials used in software supply chains, enabling malicious package pushes and cloud access. The malware operates in memory, employs multiple persistence methods, and exfiltrates data to command-and-control servers.
Security researchers have confirmed the discovery of Quasar Linux RAT (QLNX), a new, stealthy malware targeting developers’ Linux systems to steal credentials critical for software supply chain security.
According to Trend Micro analysts Aliakbar Zahravi and Ahmed Mohamed Ibrahim, QLNX is designed to target developer credentials stored in high-value files such as .npmrc, .pypirc, .git-credentials, and cloud configuration files like .aws/credentials and .kube/config. The malware can extract secrets that could allow attackers to push malicious packages to repositories like NPM and PyPI, access cloud infrastructure, or compromise CI/CD pipelines.
QLNX executes entirely in memory, avoiding disk detection, and disguises itself as kernel threads such as kworker or ksoftirqd. It employs at least seven persistence mechanisms, including systemd, crontab, and shell injections via .bashrc. The malware exfiltrates data to attacker-controlled servers and can receive commands to execute shell commands, manage files, inject code, take screenshots, log keystrokes, establish proxies, and run peer-to-peer networks. Its delivery method remains unclear, but once active, it maintains persistent communication with command-and-control servers over raw TCP, HTTPS, and HTTP channels. It supports 58 commands for full control over the compromised host.
QLNX includes a Pluggable Authentication Module (PAM) backdoor that intercepts plaintext credentials during logins and SSH sessions, transmitting this data to attackers. It also features a two-tier rootkit architecture: a userland rootkit via LD_PRELOAD and a kernel eBPF component to conceal processes, files, and network ports, complicating detection efforts. The malware’s architecture indicates it was built for long-term stealth and credential theft, chaining multiple capabilities into a comprehensive attack workflow.
Why It Matters
This development is significant because it demonstrates a highly sophisticated threat targeting the software supply chain, a critical infrastructure for modern development and cloud services. By stealing developer credentials, attackers could push malicious code, access sensitive cloud environments, and potentially cause widespread disruption across organizations relying on open-source ecosystems and CI/CD pipelines.
The stealthy nature of QLNX, with its memory-only operation, kernel-level concealment, and multiple persistence methods, makes detection and removal difficult. Its ability to exfiltrate data and execute commands remotely raises the risk of sustained compromise and data breaches, emphasizing the need for enhanced security monitoring in developer environments.
Kali Linux Bootable USB Flash Drive for PC – Cybersecurity & Ethical Hacking Operating System – Run Live or Install (amd64 + arm64) Full Penetration Testing Toolkit with 600+ Security Tools
Dual USB-A & USB-C Bootable Drive – works on almost any desktop or laptop (Legacy BIOS & UEFI)….
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
While malware targeting Linux systems and credential theft are not new, the discovery of QLNX marks a notable evolution in attack sophistication. Prior campaigns have focused on supply chain attacks via malicious packages or phishing, but this implant’s focus on long-term stealth and comprehensive credential harvesting suggests an increasing threat to development operations. It is not yet clear how QLNX is initially delivered, whether via malicious updates, supply chain compromise, or other vectors.
“QLNX targets developers and DevOps credentials across the software supply chain. Its credential harvester extracts secrets from high-value files such as .npmrc, .pypirc, .git-credentials, .aws/credentials, and others.”
— Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim
“The QLNX implant was built for long-term stealth and credential theft. Its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through multiple mechanisms, hide at both user and kernel levels, and harvest credentials.”
— Trend Micro analysis
Salon Software – All in One Salon Point of Sale Software – Credit Card Processing – Salon Management Features, 90 Days Money Back, Free Updates/e-mail Support/video Tutorials
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how QLNX is initially delivered to target systems. The specific threat actors behind the campaign, their motivations, and the scope of the infection are still under investigation. Details about the extent of infections or targeted organizations have not been publicly disclosed.
Security Monitoring with Wazuh: A hands-on guide to effective enterprise security using real-life use cases in Wazuh
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security firms and organizations are expected to analyze the malware further, develop detection signatures, and share indicators of compromise. Monitoring for similar activity and strengthening credential management practices will be priorities. Authorities may also investigate potential links to known threat groups or campaigns targeting supply chains.
Cyber Security and IT Infrastructure Protection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How is QLNX delivered to target systems?
It is currently unclear how QLNX is initially deployed. Researchers have not confirmed specific delivery methods, but common vectors include malicious updates, supply chain compromises, or phishing campaigns targeting developers.
What types of credentials does QLNX target?
It targets high-value developer and DevOps credentials stored in files like .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, and similar configuration files used in software development and cloud environments.
Can organizations detect QLNX easily?
Due to its memory-only operation, kernel concealment, and multiple persistence methods, QLNX is designed to evade detection. Advanced monitoring and behavioral analysis are required to identify its presence.
What should organizations do to protect themselves?
Organizations should implement strict credential management, monitor for unusual activity in development environments, and employ advanced endpoint detection tools capable of detecting memory-based and kernel-level malware.
