Trend Micro researchers have documented Quasar Linux (QLNX), a previously unknown Linux remote access trojan with sophisticated evasion and persistence capabilities. The malware executes filelessly from memory, spoofs its process name as a kernel thread, and deploys both a userland LD_PRELOAD rootkit and an eBPF-based rootkit to hide itself. It compiles PAM backdoor modules on the target host using gcc, enabling plaintext credential interception with a hardcoded master password. QLNX's credential harvester specifically targets developer and DevOps secrets including AWS credentials, Kubernetes configs, Docker tokens, NPM/PyPI auth tokens, Git credentials, and GitHub CLI tokens — making it a direct supply chain threat. The malware supports 58 C2 commands covering file management, keylogging, SOCKS proxying, process injection, P2P mesh networking, and more. Its P2P mesh capability makes complete eradication difficult. A single compromised developer workstation could enable attackers to publish trojanized packages to npm or PyPI, pivot into cloud infrastructure, or inject backdoors into CI/CD pipelines.
Sort: