Quasar Linux malware targets DevOps environments
Quasar Linux malware targets DevOps environments
https://www.techzine.eu/news/devops/141072/quasar-linux-malware-targets-devops-environments/
Publish Date: 2026-05-06 05:58:00
Source Domain: www.techzine.eu
Security researchers have discovered a new Linux malware campaign targeting software developers and DevOps infrastructure. The malware, known as Quasar Linux or QLNX, combines extensive espionage capabilities with techniques designed to remain hidden on infected systems for extended periods.
Researchers at Trend Micro describe QLNX as a modular platform that combines rootkit functionality, remote access, and credential theft, among other capabilities. The malware is reportedly being actively deployed in environments where developers work with services and platforms such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes, BleepingComputer reports. According to the researchers, this poses a risk of supply-chain attacks, in which malicious actors distribute malware through popular code distribution channels.
Stealth techniques hinder detection
A notable feature of the malware is its attempts to evade detection. QLNX runs primarily in system memory and erases traces of its presence by clearing log files and altering process names. The malware also compiles certain components directly on the infected system, including rootkit components and PAM modules for intercepting authentication data.
According to Trend Micro, QLNX employs multiple methods to remain active, even after processes are terminated or systems are rebooted. To do so, the malware leverages various Linux mechanisms, including systemd services, cron jobs, init scripts, and modifications to bash configuration files. This allows the malware to embed itself deep within the system.
QLNX’s functionality extends beyond just persistent access. The malware includes capabilities for keylogging, taking screenshots, and monitoring clipboard content. Additionally, it can collect system data, steal SSH keys, and gain access to cloud configurations and browser data. Files such as /etc/shadow, where encrypted passwords are stored on Linux systems, are also among the targets.
