Listen to this Post

Introduction: A Hidden Threat Inside the Linux Ecosystem
A newly discovered Linux malware campaign has raised serious alarms across the cybersecurity landscape. Named Quasar Linux (QLNX), this remote access trojan is not just another system intruder—it is a highly engineered espionage tool built specifically to infiltrate software supply chains. According to security researchers at Trend Micro, QLNX focuses on stealing sensitive developer credentials, cloud tokens, and authentication keys that can unlock entire production environments. What makes it especially dangerous is its stealth-first design, combining rootkit-level hiding techniques with persistent access mechanisms that allow attackers to remain undetected for long periods while silently harvesting critical data.
the Original Findings
Advanced Linux RAT with Modular Design
Quasar Linux (QLNX) is a newly identified remote access trojan targeting Linux systems. It features a modular architecture that allows attackers to extend its capabilities and adapt it for different environments, making it flexible and highly dangerous in targeted attacks.
Supply Chain Credential Theft Focus
The malware is specifically designed to steal developer credentials, including cloud access keys, repository tokens, and authentication secrets. It targets platforms such as AWS, Kubernetes, Docker Hub, Git systems, NPM, and PyPI.
High-Risk Impact on Software Development Pipelines
If successful, attackers can compromise maintainers’ publishing pipelines, enabling them to inject malicious code into legitimate software packages or access production cloud infrastructure without detection.
Memory-Based Execution and Stealth Techniques
QLNX executes entirely in memory, avoiding disk traces. It also spoofs process names and can self-delete, significantly reducing forensic visibility.
System Reconnaissance and Data Collection
The malware performs deep system scanning, including detection of containers, processes, open ports, and files. It also collects SSH keys, clipboard data, browser profiles, and other sensitive information.
PAM Backdoor for Credential Harvesting
QLNX uses Pluggable Authentication Module (PAM) backdoors to intercept authentication events. It includes two different implementations designed to capture plaintext credentials and session authentication tokens.
Rootkit-Level Evasion Mechanisms
The malware uses a dual-layer rootkit approach involving LD_PRELOAD for user-space hooking and eBPF-based kernel manipulation to hide processes, files, and network activity from system tools.
Multiple Persistence Strategies
It establishes persistence through up to six different methods, including crontab entries, system services, shell modifications, and desktop autostart entries, often combining several at once.
Extensive Command and Control Capabilities
QLNX supports 58 commands, enabling attackers to execute remote shells, manage files, capture screens, log keystrokes, open sockets, exfiltrate credentials, and even reboot or shut down infected machines.
Long-Term Stealth and Supply Chain Risk
Security analysts warn that QLNX is designed not for quick attacks but for long-term infiltration, focusing on silently embedding itself within trusted development and deployment pipelines.
What Undercode Say:
A Supply Chain Weapon Rather Than Simple Malware
QLNX is not just another Linux backdoor; it represents a shift toward supply chain targeting as a primary attack vector. By focusing on developers and maintainers, attackers bypass traditional perimeter defenses and directly access trusted software distribution channels. This transforms a single compromised machine into a gateway for widespread downstream infections.
Multi-Layered Stealth Architecture Increases Detection Difficulty
The combination of memory-only execution, process spoofing, rootkit functionality, and log wiping creates a layered invisibility system. Unlike conventional malware, QLNX does not rely on a single evasion method but stacks multiple defensive mechanisms, making detection extremely difficult even for advanced security tools.
Credential Aggregation as a Strategic Objective
Rather than random data theft, QLNX is engineered to collect high-value authentication assets. AWS keys, Kubernetes tokens, Git credentials, and NPM or PyPI API keys all point toward a strategic objective: gaining control over development pipelines and cloud deployments at scale.
Kernel-Level Manipulation Elevates Threat Severity
The use of eBPF-based rootkit technology is particularly concerning. By manipulating kernel data structures, the malware can selectively hide its presence from system-level monitoring tools, effectively operating below the visibility threshold of many security solutions.
Persistence Strategy Designed for Survival, Not Speed
The malware’s six-layer persistence system indicates a design philosophy centered on survival under remediation attempts. Even if one persistence vector is removed, others remain active, allowing reinfection or continued control without requiring reinjection.
Full Remote Control Enables Complete System Domination
With 58 command capabilities, QLNX provides attackers with full operational control over infected machines. This transforms compromised systems into multifunctional espionage nodes capable of reconnaissance, data theft, lateral movement, and infrastructure manipulation.
Software Supply Chains Become the Real Battlefield
The most critical implication is that software trust chains are now primary targets. If attackers can compromise a maintainer’s environment, they can silently inject malicious code into widely distributed packages, affecting thousands of downstream users without direct targeting.
Fact Checker Results
Verified Targeting Scope
Trend Micro confirms QLNX specifically targets developer credentials and cloud infrastructure tokens used in modern DevOps environments.
Confirmed Stealth Techniques
Memory execution, PAM backdoors, and rootkit-based hiding mechanisms are documented and align with advanced Linux malware techniques.
High Confidence Supply Chain Risk
The ability to compromise package publishing pipelines is consistent with known software supply chain attack patterns.
📊 Prediction
Expansion of Linux Supply Chain Attacks
Future malware campaigns are likely to adopt similar strategies, focusing increasingly on developers, CI/CD systems, and package repositories rather than end users.
Growth of Kernel-Level Evasion Tools
The use of eBPF and other kernel manipulation techniques will likely increase as attackers aim to bypass traditional endpoint detection systems.
Shift Toward Silent Long-Term Intrusions
Instead of fast disruptive attacks, threat actors will prioritize persistent stealth implants designed to remain undetected for months or even years inside development ecosystems.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




