Cybersecurity researchers have uncovered a sophisticated Linux malware strain called Quasar Linux RAT (QLNX) that is specifically designed to steal developer credentials and infiltrate software supply chains. The newly identified remote access trojan (RAT) poses a major threat to developers, DevOps engineers, cloud environments, and CI/CD infrastructures by silently harvesting sensitive credentials and maintaining long-term persistence on infected systems.

According to researchers at Trend Micro, the malware is engineered to operate stealthily while collecting credentials tied to critical developer services and cloud platforms. Once deployed, QLNX can provide attackers with extensive remote control over compromised Linux machines.

## Malware Built to Target Developers

Unlike traditional Linux malware that focuses mainly on servers or cryptocurrency mining, QLNX is heavily focused on the software development ecosystem. The malware searches for valuable credential files commonly used by developers and DevOps teams.

Researchers revealed that the malware extracts secrets from files such as:

• ▸.npmrc containing npm authentication tokens
• ▸.pypirc storing PyPI credentials
• ▸.git-credentials files
• ▸AWS cloud credentials
• ▸Kubernetes configuration files
• ▸Docker authentication configurations
• ▸Terraform credentials
• ▸GitHub CLI tokens
• ▸Environment variable files (.env)

By stealing these credentials, attackers could potentially upload malicious packages to public repositories like npm or PyPI, compromise cloud infrastructure, or move laterally across CI/CD pipelines.

Security experts warn that this creates a severe software supply chain risk. If a developer or package maintainer becomes infected, attackers could poison legitimate software packages that are later downloaded by thousands—or even millions—of users worldwide.

## Fileless Execution and Stealth Techniques

One of the most dangerous aspects of QLNX is its ability to operate almost entirely in memory. Instead of leaving obvious traces on disk, the malware executes filelessly, making detection significantly more difficult for traditional antivirus tools.

To avoid suspicion, the malware disguises itself as legitimate Linux kernel threads using names such as:

• ▸kworker
• ▸ksoftirqd

This camouflage allows it to blend into normal system activity while continuing malicious operations in the background.

QLNX also profiles the infected machine to determine whether it is running inside a containerized environment. This capability allows attackers to adapt their tactics depending on whether the target is a developer workstation, cloud server, or containerized application infrastructure.

## Multiple Persistence Mechanisms

The malware is designed for long-term persistence and survival. Researchers found that QLNX can establish persistence using at least seven different methods simultaneously.

These include:

• ▸systemd service modifications
• ▸crontab scheduled tasks
• ▸.bashrc shell injection
• ▸Dynamic linker manipulation
• ▸PAM-based hooks
• ▸Environment variable hijacking
• ▸Additional Linux startup mechanisms

Using multiple persistence layers ensures that even if one method is removed, the malware can still survive and reinfect the system.

QLNX also clears or manipulates system logs to erase evidence of compromise, making forensic investigations more difficult.

## Advanced Credential Theft Capabilities

Beyond stealing stored credentials, QLNX actively intercepts authentication activity in real time.

Researchers discovered that the malware includes a malicious Pluggable Authentication Module (PAM) backdoor capable of capturing plaintext usernames and passwords during authentication events. It can also monitor outbound SSH sessions and transmit collected data back to attacker-controlled infrastructure.

A second PAM-based credential logger automatically injects itself into dynamically linked processes to harvest:

• ▸Service names
• ▸Usernames
• ▸Authentication tokens
• ▸Login credentials

This allows attackers to continuously gather fresh credentials even after passwords are changed.

## Remote Access and Full System Control

QLNX functions as a fully featured remote access trojan with extensive post-compromise capabilities. Once connected to its command-and-control (C2) server, attackers gain nearly complete control over the infected machine.

The malware supports 58 different commands, enabling operators to:

• ▸Execute shell commands
• ▸Manipulate files and directories
• ▸Inject malicious code into processes
• ▸Capture screenshots
• ▸Log keystrokes
• ▸Establish SOCKS proxies
• ▸Create TCP tunnels
• ▸Run Beacon Object Files (BOFs)
• ▸Build peer-to-peer mesh networks

This broad functionality transforms infected Linux systems into highly versatile espionage and attack platforms.

## Sophisticated Rootkit Architecture

QLNX employs a dual-layer rootkit design to remain hidden from both users and security tools.

Userland Rootkit

The malware uses the Linux LD_PRELOAD mechanism to inject malicious libraries into processes. This allows it to conceal:

• ▸Running processes
• ▸Files
• ▸Malware artifacts

from standard Linux tools.

Kernel-Level eBPF Rootkit

Even more concerning is its kernel-level component based on eBPF (Extended Berkeley Packet Filter) technology. This component manipulates the Linux BPF subsystem to hide files, processes, and network ports from tools such as:

• ▸ps
• ▸ls
• ▸netstat

By combining user-space and kernel-level stealth techniques, QLNX becomes extremely difficult to detect using traditional monitoring tools.

## Unclear Infection Vector

Researchers have not yet determined exactly how QLNX initially infects systems. However, once access is obtained, the malware immediately begins establishing persistence and communicating with its command-and-control servers over:

• ▸Raw TCP
• ▸HTTPS
• ▸HTTP

The implant continuously attempts to maintain communication channels, ensuring operators retain remote access even if one communication method is blocked.

## Major Supply Chain Threat

The discovery of QLNX highlights the growing trend of attackers targeting developers and software supply chains instead of directly attacking end users.

Modern development environments contain valuable credentials capable of granting access to:

• ▸Cloud infrastructure
• ▸Source code repositories
• ▸Package registries
• ▸CI/CD pipelines
• ▸Production servers

Compromising just one trusted developer account can allow attackers to distribute malicious updates through legitimate software channels.

Researchers emphasize that QLNX is particularly dangerous because of how its individual features combine into a coordinated attack workflow. The malware is capable of arriving stealthily, erasing traces from disk, persisting through redundant mechanisms, hiding from detection, and harvesting high-value credentials—all while maintaining long-term remote access.

## Security Recommendations

To reduce the risk posed by advanced Linux malware like QLNX, organizations and developers should:

• ▸Enable multi-factor authentication (MFA) for developer accounts
• ▸Rotate exposed credentials regularly
• ▸Monitor unusual package publishing activity
• ▸Restrict access to CI/CD pipelines
• ▸Audit Linux persistence mechanisms frequently
• ▸Deploy endpoint detection and response (EDR) tools capable of monitoring memory-based threats
• ▸Monitor for unauthorized PAM modifications and LD_PRELOAD abuse
• ▸Inspect eBPF activity for suspicious behavior

As software supply chain attacks continue to rise, developer environments are becoming one of the most valuable targets for cybercriminals and advanced threat groups alike. The emergence of QLNX demonstrates how Linux malware is evolving into a stealthy, highly persistent, and supply chain-focused threat capable of causing widespread downstream compromise.