Security & Infrastructure Tools
New stealthy Quasar Linux malware targets software developers
Trend Micro researchers have uncovered Quasar Linux (QLNX), a stealthy new Linux malware implant targeting software developers' environments (npm, PyPI, GitHub, AWS, Docker, Kubernetes) and signaling a potential supply-chain attack vector. QLNX combines rootkit, backdoor, and credential-stealing capabilities to achieve long-term, fileless persistence, including in-memory execution, log deletion, process-name spoofing, and forensic data clearing. It uses seven persistence mechanisms (LD_PRELOAD, systemd, crontab, init.d, XDG autostart, and .bashrc injection) to ensure it loads across dynamically linked processes. The malware comprises modular blocks: a 58-command RAT core, a dual-layer rootkit (userland LD_PRELOAD and kernel eBPF), credential harvesting (SSH keys, cloud/config files, PAM backdoors), surveillance (keylogging, screenshots), networking and lateral movement, in-memory execution/injection, and real-time filesystem monitoring. By targeting developer workstations, QLNX aims to bypass enterprise defenses and access credentials underpinning software delivery pipelines; while IoCs are provided, attribution and deployment scope remain unclear.
Stealthy Quasar Linux Malware Targets Software Developers
OverviewA previously undocumented Linux implant, referred to as Quasar Linux (QLNX), has been identified as a stealthy, multi-component malware kit designed to target developers’ environments. Research from Trend Micro describes a compact yet powerful toolset that blends rootkit capabilities, backdoor access, and credential theft. The implant operates in a way that emphasizes long-term stealth and persistence, avoiding easy discovery and enabling continued access to critical development pipelines.
Targeting context and attack surfaceQLNX is observed in development and DevOps workflows, with potential reach across popular code and service ecosystems. The malware is deployed in environments associated with:
- npm and PyPI package ecosystems
- GitHub repositories and related workflows
- Cloud platforms and services (AWS)
- Containerization and orchestration stacks (Docker, Kubernetes)
This distribution footprint creates a plausible path for supply-chain style attacks, where malicious packages or configurations could be published and adopted within trusted developer pipelines.
Persistence, stealth, and evasionQLNX is built to endure and to remain hard to detect. Its stealth features include:
- In-memory operation with the original binary removed from disk
- Log wiping and process-name spoofing to hinder forensic analysis
- Clearing forensic environment variables to obscure provenance
- A diverse suite of persistence methods designed to ensure the implant loads into most dynamically linked processes and respawns if terminated
The seven distinct persistence mechanisms, cited by researchers, include several well-known Linux persistence vectors and one additional technique designed to maintain footholds across restarts and legitimate system activity.
Technical profile: core components and capabilitiesQLNX is described as a modular attack tool with several functional blocks that work in concert. The main components are:
RAT core: The central control element built around a robust command framework (tied to dozens of commands) that enables interactive shell access, file and process management, system control, and network operations. It maintains persistent communication with the command-and-control (C2) channel via custom TCP/TLS or HTTP/S.
Rootkit: A dual-layer stealth approach combining a userland LD_PRELOAD rootkit with a kernel-level eBPF component. The userland layer hooks standard library functions to conceal files, processes, and artifacts, while the eBPF layer hides PIDs, paths, and network ports at the kernel level. Both layers are deployed dynamically, with the userland rootkit compiled on the target host.
Credential access layer: A multifaceted credential theft capability that harvests SSH keys, browser-stored credentials, cloud and developer configuration files, /etc/shadow, and clipboard data. It also leverages PAM-based backdoors to intercept and log plaintext authentication data.
Surveillance module: Capabilities for keylogging, screen captures, and clipboard monitoring to gather sensitive information as developers work.
Networking and lateral movement: Features for TCP tunneling, SOCKS proxying, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking to expand reach within a compromised environment.
Execution and injection engine: Supports process injection via methods such as ptrace and /proc/pid/mem, enabling in-memory payload execution and delivery of additional payloads (shared objects, BOF/COFF formats).
Filesystem monitoring: Real-time activity tracking through inotify to observe file changes and respond to developer actions.
Rootkit architecture and operational flowUpon initial access, QLNX establishes a fileless foothold, deploys its persistence and stealth mechanisms, and begins credential harvesting. The combination of userland and kernel-level rootkit components creates a layered approach to concealment, making it harder for defenders to identify artifacts or traces of compromise. The architecture is designed to allow continuous operation even as standard security tools sweep the system, leveraging memory-resident techniques and rapid response to security events.
Impact on developer workstations and software delivery pipelinesBy targeting developer workstations, QLNX can bypass many enterprise security controls and gain access to credentials that underlie software delivery pipelines. The theft of developer credentials can facilitate broader access, enabling the attacker to publish trojanized components or tamper with build and deployment processes. This aligns with recent trends in supply-chain compromise, where stolen credentials enable attackers to sabotage widely used projects or packages.
Credential theft and supply-chain implicationsQLNX’s credential theft approach mirrors evolving supply-chain attack scenarios in which adversaries exploit trusted development ecosystems to enable broader misuses. The combination of local credential access with backdoors that intercept authentication data provides a mechanism to feed attacker-controlled access into cloud and code-hosting environments, potentially enabling tiered access across an organization’s infrastructure and pipelines.
Indicators of compromise and detection statusTrend Micro notes that the Quasar Linux implant is detectable as malicious by a small number of security solutions at the time of publication. The researchers also provided indicators of compromise to assist defenders in detecting and mitigating QLNX infections. The limited number of detections underscores the need for thorough monitoring of development environments and adherence to least-privilege and credential hygiene practices.
Context and attributionTrend Micro has not disclosed specific attack campaigns or attribution for QLNX, and the exact scope of deployment remains unclear. The focus of initial reporting is on the technical capabilities, stealth characteristics, and potential risk to software development workflows rather than definitive campaigns or actor identity.
Conclusion: a stealthy, multi-faceted Linux threat in developer ecosystemsQLNX represents a comprehensive approach to compromising development environments, combining in-memory operation, deep rootkit concealment, credential theft, and lateral movement with a flexible command-and-control framework. Its design supports persistent access and stealth, raising concerns about the integrity of software supply chains and the security of developer workstations in modern DevOps contexts. As defenders monitor code distribution channels, container registries, and cloud-based development resources, attention to detection and containment within developer ecosystems remains critical.
