Ddos 
QLNX Persistence | Image: TrendMicro
A previously undocumented Linux remote access trojan (RAT) has been exposed for its surgical precision in targeting the modern software supply chain. Security researchers at Trend Micro have uncovered Quasar Linux (QLNX), a comprehensive implant that doesn’t just steal dataβit hijacks the very tools developers use to build the digital world.
QLNX is characterized by its “notably minimal detection footprint” and its ability to turn a single developer’s workstation into a gateway for a full-scale cloud or infrastructure breach.
The true danger of QLNX lies in its credential-harvesting module, which is specifically tuned for DevOps and cloud environments. Rather than broad-spectrum theft, it hunts for high-value assets such as:
- Package Registry Tokens: .npmrc (NPM) and .pypirc (PyPI) credentials.
- Cloud Infrastructure Keys: AWS credentials, Kubernetes kubeconfig files, and Docker Hub configurations.
- Development Access: Git configuration, GitHub CLI tokens, and HashiCorp Vault tokens.
As the Trend Micro report highlights, “A single compromise can be silently leveraged to trojanize packages, inject backdoors into build artifacts, or pivot into cloud environments where production infrastructure lives”.
QLNX employs a “fileless” execution strategy to remain invisible to traditional disk-based scanners. Upon initial execution, the malware copies itself into RAM using the memfd_create syscall and re-executes from memory, immediately deleting its original binary from the disk.
To further evade detection, the RAT spoofs its process name to mimic legitimate kernel threads, such as [kworker/0:0] or [migration/0], consistently applying these fakes across argv[0], prctl, and /proc/self/comm to fool system monitoring tools like top or ps.
The malware’s persistence strategy is redundant and resilient, supporting seven different mechanisms across both user and system scopes. Most notably, it incorporates a PAM (Pluggable Authentication Module) backdoor with inline hooking.
The implant dynamically compiles this backdoor on the target host using gcc, allowing it to exactly match the host’s architecture and headers. Once installed via /etc/ld.so.preload, this module enables:
- Plaintext Interception: Capturing passwords during every authentication event.
- Master Password Bypass: Using a hardcoded password (O$$f$QtYJK) to gain access regardless of the user’s actual credentials.
- Lateral Movement Monitoring: Silently logging outbound SSH session data.
QLNX conceals its presence through a two-tier rootkit system that hides PIDs, filenames, and network ports:
- Userspace (LD_PRELOAD): Hijacks standard C library functions to skip directory entries matching the malware’s components.
- Kernel-level (eBPF): Manages BPF maps to hide items directly from the kernel, ensuring that even lower-level system tools are blind to the infection.
The operation is further hardened by a P2P mesh capability, allowing individual implants to relay commands through each other. This makes complete eradication significantly more difficult, as isolated agents can remain connected to the C2 through their peers.
Trend Micro warns that QLNX represents a “living operation” designed for long-term stealth. With the ability to silently intercept plaintext passwords and hijack the keys to NPM and PyPI, a single infected workstation is no longer just a local security issueβit’s a potential disaster for the entire global software ecosystem.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
