**Quasar Linux (QLNX)**, a previously undocumented Linux implant, is making waves by targeting developers' systems with a potent combination of rootkit, backdoor, and credential-stealing features. This malware kit is strategically deployed within development and DevOps environments, including **npm**, **PyPI**, **GitHub**, **AWS**, **Docker**, and **Kubernetes**, raising serious concerns about potential supply-chain attacks. ### Stealth and Persistence Researchers at **Trend Micro** have conducted an in-depth analysis of the QLNX implant, revealing its advanced capabilities. The malware dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using **gcc** (GNU Compiler Collection). According to Trend Micro's report, QLNX is designed for stealth and long-term persistence. It operates in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables to evade detection. QLNX employs seven distinct persistence mechanisms, including `LD_PRELOAD`, `systemd`, `crontab`, `init.d` scripts, `XDG autostart`, and `.bashrc` injection. This ensures that it loads into every dynamically linked process and respawns if terminated.  ### Key Components QLNX features multiple functional blocks dedicated to specific activities, making it a complete attack tool. Its core components include: * **RAT core:** A central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels. * **Rootkit:** A dual-layer stealth mechanism combining a userland `LD_PRELOAD` rootkit and a kernel-level eBPF component. The userland layer hooks `libc` functions to hide files, processes, and malware artifacts, while the eBPF layer conceals PIDs, file paths, and network ports at the kernel level. Both are deployed dynamically, with the userland rootkit compiled on the target system. * **Credential access layer:** Combines credential harvesting (SSH keys, browsers, cloud and developer configs, `/etc/shadow`, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data. * **Surveillance module:** Keylogging, screenshot capture, and clipboard monitoring. * **Networking and lateral movement:** TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking. * **Execution and injection engine:** Process injection (`ptrace`, `/proc/pid/mem`) and in-memory execution of payloads (shared objects, BOF/COFF). * **Filesystem monitoring:** Real-time tracking of file activity via `inotify`.  ### Attack Chain After initial access, QLNX establishes a fileless foothold, deploys persistence and stealth mechanisms, and then harvests developer and cloud credentials. By targeting developer workstations, attackers can bypass enterprise security controls and access the credentials that underpin software delivery pipelines.  This approach mirrors recent supply chain incidents where stolen developer credentials were used to publish trojanized packages to public repositories. ### Detection and Mitigation Trend Micro has not provided details about specific attacks or any attribution for QLNX, so the deployment volume and specific activity levels of this new malware are unclear. Currently, the Quasar Linux implant is detected by only four security solutions, which flag its binary as malicious. Trend Micro has provided indicators of compromise (IoCs) to aid defenders in detecting QLNX infections and implementing protective measures.