Quasar Linux (QLNX): Advanced RAT targets developers and threatens software supply chain
A new silent threat is targeting professionals who work with Linux in development environments. Named Quasar Linux (or QLNX), this sophisticated RAT was detailed by Trend Micro this week and is already worrying security teams around the world.
With advanced obfuscation techniques, including double rootkit and in-memory execution, the malware steals credentials from Git, AWS, Kubernetes, NPM, and PyPI. The clear goal is to turn a developer workstation into a gateway for supply chain attacks.
According to Trend Micro's white paper, QLNX combines robust persistence with targeted secret collection, making it especially dangerous for companies that rely on CI/CD pipelines and public repositories.
- Quasar Linux runs fileless, erases the original binary from the disk and uses six different persistence methods.
- It focuses on collecting developer credentials, including SSH keys, cloud tokens, and package repositories.
- Combines userland rootkit (LD_PRELOAD) with eBPF in the kernel and backdoor in the PAM module.
- Extremely low detection rate at the time of analysis, which facilitates prolonged infections.
- Represents high risk of supply chain attack by compromising trusted dev accounts.
How malware manages to stay hidden for months
QLNX doesn't make a fuss. After initial infection, it runs directly from memory, removes the original file and cleans up traces in system logs. The process name is spoofed to appear legitimate, and environment variables used in investigations are set to zero.
An impressive technical detail: the malware dynamically compiles its components on the host using gcc. This allows the rootkit to seamlessly adapt to the kernel of the infected machine, complicating the creation of static signatures by security tools.
The core framework offers more than 50 commands, including remote shell, file management, tunneling, and process injection. The double-layer rootkit hides both files and processes, while the PAM backdoor captures passwords in plain text during normal authentications.
Credential harvesting is surgical: the malware scours common dev folders, cloud configuration files, and even the clipboard in search of valid tokens.
Technical analysis based on Trend Micro report
According to the researchers, QLNX follows a well-defined flow: initial access, establishment of silent foothold, deployment of multiple persistence and only then the active phase of data theft. Dynamic compilation on target dramatically increases compatibility in heterogeneous environments.
Another strong point is the in-depth understanding of developer habits. The malware prioritizes .env files, Docker configurations, and CI/CD tokens, exactly where the most valuable secrets are often exposed in practice.
Comparison with other known Linux threats
| Threat | Stealth Level | Main Focus | Persistence | Supply Chain Risk |
|---|---|---|---|---|
| Quasar Linux (QLNX) | Double rootkit + fileless | Dev credentials | 6 methods + PAM | High |
| BPFDoor | eBPF | Generic Backdoor | Moderate | Medium |
| XMRig | Basic | Mining | Low | Low |
| Custom APT Implants | High | Espionage | High | High |
Real Risks
The main danger is not an isolated infection, but the use of stolen credentials to publish malicious packages to public repositories. A single compromised dev can affect thousands of downstream users.
On the other hand, malware still relies on an initial vector, typically social engineering or vulnerability exploitation. Environments with hardened SELinux, centralized secret management, and modern EDR can significantly increase the cost of the attack.
How to Protect Yourself Against Quasar Linux
Adopt best practices: use multi-factor authentication across all services, manage secrets with Vault or cloud-native services, and avoid exposing tokens in repositories. Monitor suspicious compiler executions and changes to PAM or ld.so.preload modules.
A threat that requires immediate attention
Quasar Linux shows the clear evolution of attackers: they don't just want to mine cryptocurrencies or steal specific data. They want persistent, privileged access within development teams. Ignoring this would be a strategic error.
Published in May 2026, Trend Micro's report serves as a call to action. Organizations that rely on modern software need to urgently review the security of Linux workstations and development pipelines.
Read the full report on the official Trend Micro website.
