New Quasar Linux malware stealthily targets software developers
▼ Summary
– A previously undocumented Linux implant called Quasar Linux (QLNX) targets developers’ systems with rootkit, backdoor, and credential-stealing capabilities.
– QLNX is deployed in development and DevOps environments (npm, PyPI, GitHub, AWS, Docker, Kubernetes), potentially enabling supply-chain attacks via malicious packages.
– The malware runs in-memory, deletes its binary, wipes logs, spoofs process names, and uses seven persistence mechanisms for stealth and long-term survival.
– Its core components include a 58-command RAT, dual-layer rootkit (LD_PRELOAD and eBPF), credential harvesting, surveillance, and lateral movement tools.
– QLNX is detected by only four security solutions; Trend Micro provided indicators of compromise but no details on specific attacks or attribution.
A newly discovered Linux backdoor, tracked as Quasar Linux (QLNX), is actively targeting software developers with a sophisticated combination of rootkit, backdoor, and credential-stealing capabilities. This previously undocumented implant represents a significant threat to development and DevOps environments.
The malware kit is specifically engineered to infiltrate npm, PyPI, GitHub, AWS, Docker, and Kubernetes ecosystems. By compromising developer workstations, attackers can potentially launch supply-chain attacks, injecting malicious packages into widely used code distribution platforms.
Cybersecurity firm Trend Micro, which analyzed the QLNX implant, reports that “it dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc [GNU Compiler Collection].” The company’s findings, published this week, highlight that QLNX is built for stealth and long-term persistence. It operates entirely in-memory, deletes its original binary from disk, wipes system logs, spoofs process names, and clears forensic environment variables to evade detection.
To ensure resilience, the malware employs seven distinct persistence mechanisms. These include LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection. This layered approach guarantees that QLNX loads into every dynamically linked process and automatically respawns if terminated.
QLNX is a complete attack toolkit, with several dedicated functional modules. Its core components include:
- RAT Core: A central control module built around a 58-command framework. It provides interactive shell access, file and process management, system control, and network operations, maintaining persistent communication with its command-and-control (C2) server over custom TCP/TLS or HTTP/S channels.After gaining initial access, QLNX establishes a fileless foothold, deploys its persistence and stealth mechanisms, and then systematically harvests developer and cloud credentials. By targeting developer workstations, attackers can bypass enterprise security controls and gain access to the credentials that underpin software delivery pipelines.This approach mirrors recent high-profile supply chain incidents where stolen developer credentials were used to publish trojanized packages to public repositories. Trend Micro has not disclosed details about specific attacks or attributed QLNX to any known threat actor, so the deployment volume and specific activity levels of this new malware remain unclear.At the time of publication, the Quasar Linux implant is detected by only four security solutions that flag its binary as malicious. Trend Micro has released indicators of compromise (IoCs) to help defenders detect and protect against QLNX infections.
