New stealthy Quasar Linux malware targets software developers

Summary

A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developer systems with rootkit, backdoor, and credential-stealing capabilities, designed for stealth and long-term persistence. The malware deploys across npm, PyPI, GitHub, AWS, Docker, and Kubernetes environments, enabling potential supply-chain attacks through trojanized packages on code distribution platforms. QLNX uses seven persistence mechanisms, dynamic rootkit compilation, dual-layer stealth (userland LD_PRELOAD and kernel eBPF), and harvests developer and cloud credentials for lateral movement.

Full text

New stealthy Quasar Linux malware targets software developers By Bill Toulas May 5, 2026 06:01 PM 0 A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. The malware kit is deployed in development and DevOps environments in npm, PyPI, GitHub, AWS, Docker, and Kubernetes. This could enable supply-chain attacks where the threat actor publishes malicious packages on code distribution platforms. Researchers at cybersecurity company Trend Micro analyzed the QLNX implant and found that "it dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc [GNU Compiler Collection]." A report from the company this week notes that QLNX was designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables. The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed. Overview of QLNX's persistence mechanismsSource: Trend Micro QLNX features multiple functional blocks dedicated to specific activities, making it a complete attack tool. Its core components can be summarized as follows: RAT core — Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels. Rootkit — Dual-layer stealth mechanism combining a userland LD_PRELOAD rootkit and a kernel-level eBPF component. The userland layer hooks libc functions to hide files, processes, and malware artifacts, while the eBPF layer conceals PIDs, file paths, and network ports at the kernel level. Both are deployed dynamically, with the userland rootkit compiled on the target system. Credential access layer — Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data. Surveillance module — Keylogging, screenshot capture, and clipboard monitoring. Networking and lateral movement — TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking. Execution and injection engine — Process injection (ptrace, /proc/pid/mem) and in-memory execution of payloads (shared objects, BOF/COFF). Filesystem monitoring — Real-time tracking of file activity via inotify. The rootkit architectureSource: Trend Micro After initial access, QLNX establishes a fileless foothold, deploys persistence and stealth mechanisms, and then harvests developer and cloud credentials. By targeting developer workstations, attackers can bypass enterprise security controls and access the credentials that underpin software delivery pipelines. Credential theftSource: Trend Micro This approach mirrors recent supply chain incidents in which stolen developer credentials were used to publish trojanized packages to public repositories. Trend Micro has not provided details about specific attacks or any attribution for QLNX, so the deployment volume and specific activity levels of this new malware are unclear. At the time of publication, the Quasar Linux implant is detected by only four security solutions, which flag its binary as malicious. Trend Micro has provided indicators of compromise (IoCs) to help defenders detect QLNX infections and protect against them. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Threat actor uses Microsoft Teams to deploy new “Snow” malwareNew GoGra malware for Linux uses Microsoft Graph API for commsWordPress plugin suite hacked to push malware to thousands of sites'NoVoice' Android malware on Google Play infected 2.3 million devicesHackers compromise Axios npm package to drop cross-platform malware

Indicators of Compromise

• malware — Quasar Linux (QLNX)

Entities