Full Report
A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. "QLNX targets developers and DevOps credentials across the software supply chain,"
Analysis Summary
# Tool/Technique: Quasar Linux RAT (QLNX)
## Overview
Quasar Linux RAT (QLNX) is a sophisticated, undocumented Linux implant designed for long-term espionage and supply chain compromise. It specifically targets developers and DevOps engineers to harvest sensitive credentials (AWS, GitHub, Kubernetes, etc.), providing attackers with the ability to pivot into CI/CD pipelines, push malicious software packages, or hijack cloud infrastructure.
## Technical Details
- **Type:** Malware Family (Remote Access Trojan)
- **Platform:** Linux (x86/x64)
- **Capabilities:** Credential harvesting, fileless execution, multi-layered rootkit, network tunneling, and automated log wiping.
- **First Seen:** May 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- T1547.004 - Boot or Logon Autostart Execution: .bashrc
- T1053.003 - Scheduled Task/Job: Cron
- **TA0005 - Defense Evasion**
- T1014 - Rootkit
- T1574.006 - Hijack Execution Flow: LD_PRELOAD
- T1622 - Debugger Evasion (Fileless execution/process masquerading)
- T1070.001 - Indicator Removal on Host: Clear Linux System Logs
- **TA0006 - Credential Access**
- T1556.003 - Modify Authentication Process: Pluggable Authentication Modules
- T1552.001 - Unsecured Credentials: Forge/Secrets Files
- **TA0011 - Command and Control**
- T1090 - Proxy (SOCKS)
- T1571 - Non-Standard Port (Raw TCP)
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- **Fileless Execution:** Runs entirely from memory to minimize disk footprint.
- **Process Masquerading:** Renames its process to mimic kernel threads (e.g., `kworker` or `ksoftirqd`).
- **Comprehensive Credential Harvesting:** Scans for and exfiltrates high-value files:
- DevOps/Cloud: `.aws/credentials`, `.kube/config`, `.vault-token`, Terraform credentials.
- Package Managers: `.npmrc`, `.pypirc`.
- Version Control: `.git-credentials`, GitHub CLI tokens.
- **Persistence Redundancy:** Employs seven distinct methods including systemd, crontab, and `.bashrc` shell injection.
### Advanced Features
- **Two-Tiered Rootkit:**
- **Userland:** Uses `LD_PRELOAD` to hook system calls and hide processes/files.
- **Kernel:** Uses eBPF programs to conceal network ports and artifacts from tools like `netstat` and `ps`.
- **PAM Backdoor:** Inline hooking of Pluggable Authentication Modules to capture plaintext passwords and SSH session data in real-time.
- **Network Maneuvering:** Supports SOCKS proxies, TCP tunnels, and a Peer-to-Peer (P2P) mesh network for resilient C2 infrastructure.
- **Extensible Execution:** Capable of running Beacon Object Files (BOFs) and code injection into other processes.
## Indicators of Compromise
- **File Hashes:** [Specific hashes not provided in article; refer to original Trend Micro report]
- **File Names:** Masquerades as standard kernel workers (`kworker`, `ksoftirqd`).
- **Network Indicators:**
- Communication over raw TCP, HTTP, and HTTPS.
- [C2 Domains/IPs]: (Defanged) `hxxp[:]//[attacker-controlled-domain]`, `hxxps[:]//[attacker-controlled-domain]`.
- **Behavioral Indicators:**
- Frequent modification of `.bashrc` or `systemd` unit files.
- Unexpected `LD_PRELOAD` environment variables.
- Unusual eBPF program attachments.
- Systematic access to multiple hidden configuration files in user home directories (e.g., `.aws`, `.docker`).
## Associated Threat Actors
- Currently unattributed (Reported as a professional-grade tool targeting the software supply chain).
## Detection Methods
- **Signature-based detection:** Scanning for known QLNX code patterns in memory and auditing `systemd` service files.
- **Behavioral detection:**
- Monitoring for unauthorized PAM modifications.
- Detecting unusual eBPF hooks or `LD_PRELOAD` activity.
- Identifying "kernel threads" that exhibit unusual network behavior or lack parent process consistency.
- **YARA:** Target the 58 distinct command strings used in the primary communication loop.
## Mitigation Strategies
- **Prevention:** Implement strict Linux file permissions and use `noexec` on temporary directories.
- **Hardening:** Disable `LD_PRELOAD` where not required and monitor for "eBPF program load" events using security auditing tools (e.g., Auditd, Falco).
- **Access Control:** Utilize Hardware Security Modules (HSMs) or short-lived credentials for CI/CD and cloud access to limit the impact of harvested static tokens.
## Related Tools/Techniques
- **QuasarRAT:** The original Windows-based version of the tool.
- **PAMdoora:** A similar PAM-based Linux backdoor.
- **Ebpfkit:** A rootkit that utilizes eBPF for stealth.