**QLNX** targets developers and DevOps environments, focusing on stealing credentials crucial to the software supply chain. According to researchers **Aliakbar Zahravi** and **Ahmed Mohamed Ibrahim** at **Trend Micro**, the malware's primary objective is to gain unauthorized access to sensitive resources. ### Credential Harvesting The malware's credential harvester is designed to extract secrets from high-value files. These include: * `.npmrc` (npm tokens) * `.pypirc` (PyPI credentials) * `.git-credentials` * `.aws/credentials` * `.kube/config` * `.docker/config.json` * `.vault-token` * Terraform credentials * GitHub CLI tokens * `.env` files A successful compromise could allow attackers to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines. ### Stealth and Persistence **QLNX** operates filelessly from memory, disguising itself as a kernel thread (e.g., kworker or ksoftirqd). It profiles the host to detect containerized environments and wipes system logs to evade detection. The malware employs seven different persistence mechanisms, including systemd, crontab, and .bashrc shell injection. ### Command and Control After exfiltrating collected data to attacker-controlled infrastructure, **QLNX** receives commands enabling: * Shell command execution * File management * Code injection into processes * Screenshot capture * Keylogging * SOCKS proxy and TCP tunnel establishment * Beacon Object File (BOF) execution * Peer-to-peer (P2P) mesh network management Communication with the command-and-control (C2) server occurs over raw TCP, HTTPS, and HTTP. **QLNX** supports 58 distinct commands, granting operators complete control over compromised hosts. ### PAM Backdoor and Rootkit Capabilities **QLNX** includes a Pluggable Authentication Module (PAM) inline-hook backdoor, intercepting plaintext credentials during authentication events and logging outbound SSH session data. This data is then transmitted to the C2 server. A second PAM-based credential logger is automatically loaded into every dynamically linked process to extract service names, usernames, and authentication tokens. The malware utilizes a two-tiered rootkit architecture. A userland rootkit, deployed via the Linux dynamic linker's `LD_PRELOAD` mechanism, hides the implant's artifacts and processes. A kernel-level eBPF component conceals processes, files, and network ports from standard userland tools (e.g., ps, ls, netstat) upon receiving instructions from the C2 server. ### Implications **Trend Micro** emphasizes that **QLNX** is designed for long-term stealth and credential theft. Its danger lies in the coherent chaining of capabilities, allowing it to arrive, erase itself from disk, persist through multiple mechanisms, hide at both user and kernel levels, and harvest critical credentials.