QLNX: New Remote Access Trojan targets Linux developers
Quasar Linux (QLNX) is not an operating system, but a supply chain attack tool that is difficult to detect and remove.
(Image: solarseven / Shutterstock.com)
- Manuel Masiero
With Quasar Linux (QLNX), a new Remote Access Trojan (RAT) has emerged, targeting the systems of Linux developers. With its combination of rootkit techniques, credential theft, and camouflage mechanisms, the Linux RAT, first documented by Trend Micro in early May, enables threat actors to carry out a complete and covert attack workflow.
The security researchers at Trend Micro do not cite specific cases of damage caused by QLNX. In their detailed analysis, they still assess the threat potential as high because the Linux malware targets developer and DevOps credentials throughout the software supply chain and is difficult to remove from infected systems.
At the time of analysis, Trend Micro appeared to be the only AV vendor with detailed detection rules for QLNX. SOC Prime has since joined them.
Uninvited Permanent Guest
On infected systems, QLNX steals secrets for npm, PyPI, GitHub, Amazon Web Services (AWS), Docker, and Kubernetes. Information such as private SSH keys, browser logins, shell histories, clipboard content, and passwords stored unencrypted in the Linux PAM authentication process are also targeted by the data thieves.
The information is sent to a remote attacker server via HTTPS, HTTP, or a custom TLS protocol. The malware also receives commands via the same communication channel. Through its P2P mesh function, QLNX can also forward data via other compromised systems, making its detection and removal significantly more difficult.
Videos by heise
QLNX exhibits the same persistence on infected end devices, as it expends considerable effort to operate discreetly in the background. After the initial infection, the Linux RAT deletes its binary files, continues to run filelessly in memory, fakes its process name, makes system logs disappear, and installs seven redundant persistence mechanisms to remain active even after partial cleanup.
Quasar Linux essentially names itself. The malware uses systemd entries such as ~/.config/systemd/user/quasar_linux.service and /etc/systemd/system/quasar_linux.service for installation.
QLNX has all the prerequisites to carry out a supply chain attack Ă la LiteLLM. As a reminder, on March 24, 2026, cybercriminals compromised two LiteLLM packages (v1.82.7 and v1.82.8) in the Python Package Index via a PyPI token stolen from LiteLLM's CI/CD pipeline and equipped them with a credential stealer.
(mro)
