CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Quasar Linux (QLNX) multi-stage implant targeting developer environments with rootkit, backdoor, and credential-harvesting capabilities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-stealing capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on the target host using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components to evade detection. QLNX features a 58-command RAT core, credential harvesting, surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, mirroring tactics observed in recent supply-chain incidents.

Timeline

  1. 06.05.2026 01:01 1 articles · 1h ago

    New Quasar Linux (QLNX) implant identified targeting developer environments with multi-stage attack toolkit

    A previously undocumented Linux implant, Quasar Linux (QLNX), has been identified targeting developer and DevOps environments. The malware combines rootkit, backdoor, and credential-stealing capabilities, deploying via dynamic compilation of rootkit shared objects and PAM backdoors on target hosts using gcc. QLNX establishes fileless persistence through seven mechanisms, employs dual-layer stealth (userland LD_PRELOAD rootkit and kernel-level eBPF component), and includes a 58-command RAT core, credential harvesting, surveillance, lateral movement, process injection, and filesystem monitoring modules.

    Show sources
    Open in new tab

Information Snippets

  • Quasar Linux (QLNX) is a previously undocumented Linux implant targeting developers' systems across npm, PyPI, GitHub, AWS, Docker, and Kubernetes environments.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • The implant combines rootkit, backdoor, and credential-stealing capabilities, establishing stealthy, fileless persistence and enabling potential supply-chain attacks.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • QLNX dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc (GNU Compiler Collection).

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • Persistence mechanisms include LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and '.bashrc' injection, ensuring loading into every dynamically linked process and automatic respawn.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • Stealth mechanisms include a dual-layer rootkit combining userland LD_PRELOAD hooks and a kernel-level eBPF component, hiding files, processes, PIDs, file paths, and network ports.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • QLNX features a 58-command RAT core providing interactive shell access, file and process management, system control, and network operations with persistent C2 communication over custom TCP/TLS or HTTP/S channels.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • The malware includes a credential access layer harvesting SSH keys, browser data, cloud and developer configurations, /etc/shadow, clipboard contents, and intercepting plaintext authentication via PAM backdoors.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • Additional modules include keylogging, screenshot capture, clipboard monitoring, TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, peer-to-peer mesh networking, process injection, in-memory payload execution, and real-time filesystem monitoring via inotify.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • After initial access, QLNX establishes a fileless foothold, deploys persistence and stealth mechanisms, and then harvests developer and cloud credentials to potentially facilitate supply-chain compromises.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources

  • At time of disclosure, QLNX is detected by only four security solutions, and Trend Micro has provided IoCs to aid detection and mitigation.

    First reported: 06.05.2026 01:01
    1 source, 1 article
    Show sources