Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities

Summary

TrendAI Research has disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan combining rootkit capabilities, PAM backdoor, and advanced credential harvesting functionality. The malware specifically targets developer credentials and supply chain assets including NPM tokens, PyPI credentials, AWS keys, Kubernetes configs, Docker credentials, and Git tokens. QLNX uses sophisticated evasion techniques including LD_PRELOAD rootkit injection, dynamic compilation on target systems, P2P mesh networking for resilience, and fileless execution to maintain persistent, stealthy access to developer workstations.

Full text

Cyber Threats Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim May 04, 2026 Read time: ( words) Save to Folio Key takeaways Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features. The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary. It dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc, then deploys them via /etc/ld.so.preload for system-wide interception. QLNX targets developers and DevOps credentials across the software supply chain. Its credential harvester extracts secrets from high-value files such as .npmrc (NPM tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines. QLNX incorporates a PAM backdoor with inline hooking, enabling plaintext credential interception during authentication. It uses the hardcoded master password O$$f$QtYJK and XOR-encrypted credential harvesting to /var/log/.ICE-unix. QLNX includes a P2P mesh capability that transforms individual implants into a resilient network, making complete eradication significantly more difficult. Trend Vision One™ detects and blocks the specific indicators of compromise (IoCs) mentioned in this blog entry, and offers customers access to hunting queries, threat insights, and intelligence reports related to the QLNX RAT. In previous research, we have demonstrated how AI can be used to improve detection accuracy when new malware families emerge, particularly those that reuse or share code from open-source repositories. A clear example is our earlier work “AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows,” where AI-driven threat hunting helped us expose the previously elusive GhostPenguin backdoor. In this blog entry, we present another compelling finding from the same approach. Our platform recently flagged an unusual Linux implant with low detection, which caught our attention and prompted a deeper investigation. What followed was the discovery of Quasar Linux (QLNX), a previously undocumented Linux remote access trojan (RAT) with rootkit capabilities and a notably minimal detection footprint. Threat landscape overview Supply-chain attacks targeting open-source package ecosystems like PyPI and npm have become one of the most effective attack vectors available to threat actors today. By compromising a maintainer's account through phishing, credential theft, or a misconfigured CI/CD pipeline, an attacker can inject malicious code into a legitimate and widely trusted package and instantly reach its entire audience — as seen in recent npm-focused compromises such as the axios package incident. While the open-source ecosystem is supported by a mix of enterprise teams and independent contributors, attackers frequently target the developer's workstation. Security controls across these decentralized endpoints can vary significantly, meaning not all workstations benefit from uniform, enterprise-grade solutions such as EDR, XDR, or advanced network monitoring. This variability creates potential blind spots that make certain developer endpoints highly attractive targets and, critically, makes it much harder to detect a breach after the fact — allowing attackers to maintain silent access for extended periods. QLNX attack surface and impact This is precisely the threat environment that QLNX was built for. QLNX's credential harvesting module targets the files and tokens that provide authenticated access to development tools, package registries, and cloud environments: this includes AWS credentials and configuration files, Kubernetes service account tokens and kubeconfig files, Docker Hub credentials, Git configuration and access tokens, NPM authentication tokens, and PyPI API keys. An attacker who successfully deploys QLNX against a package maintainer gains access to that maintainer's publishing pipeline. A single compromise can be silently leveraged to trojanize packages, inject backdoors into build artifacts, or pivot into cloud environments where production infrastructure lives. Table 1 summarizes its complete capability set across eight operational categories. Category Capabilities Execution and evasion Fileless execution via memfd_create + execveat Self-deletion Process name spoofing Single-instance mutex Rootkit and hiding Two-tier rootkit architecture: userspace LD_PRELOAD hooks (readdir, stat, open, fopen) and kernel-level eBPF maps hiding PIDs, filenames, and TCP ports from the kernel directly. Persistence systemd (system + user services) crontab @reboot init.d script XDG autostart .desktop files LD_PRELOAD bootstrap .so .bashrc injection Credential and data harvesting SSH private keys Browser login databases (Chrome, Chromium, Firefox) Cloud configuration files (AWS, Kubernetes, Docker, Git, NPM, PyPI) Shell history (Bash, Zsh, MySQL, PSQL) Plaintext PAM passwords via pam_security.so hook; /etc/shadow (root) Clipboard content Surveillance Keylogger (raw /dev/input events + X11 fallback) Screenshot capture Clipboard monitoring with SHA256 deduplication and periodic exfiltration Networking and tunnelling TCP tunnel; port forwarding Port scanning; raw packet capture SSH lateral movement execution Peer-to-peer mesh network with routing table for agent-to-agent C&C relay Remote control Interactive PTY reverse shell Full file manager (list, read, write, rename, delete, mkdir) File upload/download; process listing and termination TCP connection listing and killing; power control (shutdown/reboot/suspend) Privilege escalation via Sudo/pkexec Advanced offensive In-memory .so reflective loading (memfd/shm/tmpfile) Process injection via /proc/pid/mem and ptrace Beacon Object File (BOF/COFF) in-memory execution Real-time filesystem event monitoring via inotify Timestamp manipulation (timestomping) Table 1. Overview of QLNX capabilities Quasar Linux (QLNX) analysis Property Value Name quasar-implant MD5 70f70743f287a837d17c56933152a8a6 SHA1 b0f2c668cbdd63a871c90592b6c93e931115872e SHA256 ea1d34b21b739a6bbf89b3f7e67978005cf7f3eda612cefc7eac1c8ead7c5545 Magic ELF 64-bit LSB pie executable, x86-64 File size 147.91 KB (151,464 bytes) Table 2. Identifying information on QLNX Summary QLNX is a full-featured RAT that targets the Linux platform. The malware executes filelessly from memory, spoofs its process name, profiles the system to detect containerized environments, utilizes eBPF to hide specific processes, files, and network ports, and wipes system logs. QLNX performs extensive data collection. It gathers system information, clipboard contents, shell history, SSH keys, Firefox browser profiles, and credentials via a malicious Pluggable Authentication Module (PAM) injected through ld.so.preload. QLNX communicates with the attacker and sends the collected information via TLS (custom protocol over TLS), HTTPS, or HTTP. The malware contacts a remote server and receives commands. The supported commands allow the malware to execute shell commands, manage files, inject code into processes via /proc/pid/mem and ptrace, capture screenshots, log keystrokes, establish SO

Indicators of Compromise

• malware — Quasar Linux (QLNX)
• malware — pam_security.so
• malware — LD_PRELOAD rootkit

Entities