Full Report
A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. [...]
Analysis Summary
# Tool/Technique: Quasar Linux (QLNX)
## Overview
Quasar Linux (QLNX) is a sophisticated, previously undocumented Linux implant designed for long-term persistence and stealth within developer and DevOps environments. Its primary purpose is to facilitate supply-chain attacks by stealing high-value credentials (AWS, Docker, Kubernetes, npm, PyPI) and providing extensive backdoor access to target systems.
## Technical Details
- **Type:** Malware family (Backdoor / Rootkit / Credential Stealer)
- **Platform:** Linux (targeting workstations, cloud environments, and CI/CD pipelines)
- **Capabilities:** Fileless execution, kernel and userland rootkits, PAM backdoors, credential harvesting, and peer-to-peer (P2P) networking.
- **First Seen:** Publicly reported May 2026.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
- T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions
- T1133 - External Remote Services (PAM Backdoor)
- T1037.004 - Boot or Logon Initialization Scripts: RC Scripts
- T1053.003 - Scheduled Task/Job: Cron
- **TA0005 - Defense Evasion**
- T1014 - Rootkit
- T1574.006 - Hijack Execution Flow: LD_PRELOAD
- T1027.004 - Obfuscated Files or Information: Compile After Delivery
- T1140 - Deception: Process Name Spoofing
- T1070 - Indicator Removal on Host
- **TA0006 - Credential Access**
- T1556.003 - Modify Authentication Process: Pluggable Authentication Modules
- T1555 - Credentials from Web Browsers / Password Stores
- T1056.001 - Keylogging
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1115 - Data from Clipboard
## Functionality
### Core Capabilities
* **RAT Core:** A 58-command framework providing interactive shell access, process management, and file manipulation.
* **Credential Harvesting:** Targets SSH keys, `/etc/shadow`, browser data, and configuration files for AWS, Docker, Kubernetes, npm, and PyPI.
* **Evasive Execution:** Operates as a fileless threat; the original binary is deleted after execution, and it uses process name spoofing to blend with legitimate system tasks.
* **Dynamic Compilation:** Uses the local `gcc` to compile rootkit shared objects and PAM modules specifically for the host architecture.
### Advanced Features
* **Dual-Layer Rootkit:** Combines an `LD_PRELOAD` userland rootkit (hooking libc) with a kernel-level **eBPF** component to hide PIDs, network ports, and files.
* **PAM Backdoor:** Injects into the Pluggable Authentication Module system to intercept and log plaintext credentials during login events.
* **Mesh Networking:** Supports P2P communication and TCP tunneling/SOCKS proxies for lateral movement within isolated segments of a network.
* **Multiple Persistence Points:** Utilizes seven unique methods (LD_PRELOAD, systemd, crontab, init.d, XDG autostart, .bashrc, and more) to ensure the malware survives reboots and process termination.
## Indicators of Compromise
* **File Names:** Common system names (spoofed), temporary shared objects (.so) compiled in `/tmp/` or `/dev/shm/`.
* **Network Indicators:** (Defanged)
* Custom TCP/TLS C2 traffic.
* Unexpected P2P traffic between internal developer workstations.
* HTTP/S C2 communication channels.
* **Behavioral Indicators:**
* Unexpected use of `gcc` on production/developer systems to compile shared objects.
* Modification of `/etc/pam.d/` files.
* Unusual `ptrace` or `/proc/pid/mem` access by non-debugging processes.
* Presence of unauthorized eBPF programs.
## Associated Threat Actors
* **Currently Unknown:** Generally associated with sophisticated supply-chain or industrial espionage actors targeting the software development lifecycle.
## Detection Methods
* **Signature-based:** Scanning for specific unique strings in dynamically compiled `.so` files (though limited due to on-host compilation).
* **Behavioral Detection:**
* Monitoring for changes to `LD_PRELOAD` or shell profile files (.bashrc).
* Auditing kernel module loading and eBPF program attachment.
* Detection of unauthorized PAM module modifications.
* **Forensics:** Checking for inconsistencies between `ls` outputs and `/proc` filesystem (indicative of rootkit activity).
## Mitigation Strategies
* **System Hardening:** Restrict the use of `LD_PRELOAD` where possible and implement `noexec` flags on temporary directories like `/tmp`.
* **Compiler Restriction:** Remove `gcc` and other build tools from production environments and non-essential developer workstations.
* **Integrity Monitoring:** Use File Integrity Monitoring (FIM) to alert on changes to `/etc/pam.d/`, `/etc/shadow`, and system startup scripts.
* **Endpoint Security:** Deploy EDR solutions capable of detecting eBPF-based rootkits and process injection.
## Related Tools/Techniques
* **Quasar RAT:** While named similarly, this Linux variant is a distinct, specialized evolution.
* **BPFdoor:** Uses similar eBPF-based stealth techniques.
* **Rocke/TeamTNT:** Known for targeting cloud/DevOps environments (though QLNX appears more sophisticated).