Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities
Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities
https://socprime.com/active-threats/qlnx-linux-rat-uses-rootkit-and-pam-backdoor/
Publish Date: 2026-05-06 12:25:00
Source Domain: socprime.com
Summary
Quasar Linux (QLNX) is an advanced Linux remote access trojan that combines a user-space and eBPF rootkit with a PAM backdoor and broad credential-harvesting capabilities. The malware supports fileless execution, process name masquerading, and several persistence techniques that help it remain hidden on infected systems. Its focus on developer workstations makes it especially dangerous for supply-chain abuse, as it can steal tokens, SSH keys, and cloud credentials. The malware also uses encrypted communications and supports a peer-to-peer mesh architecture to improve resilience and maintain access.
Investigation
Trend Micro researchers obtained the QLNX binary and conducted both static and dynamic analysis, uncovering embedded source code for the rootkit and PAM backdoor components. Their investigation documented the malware’s ability to compile components directly on the target host, the range of persistence mechanisms it uses, and the full command set supported by the implant. Network analysis also revealed a custom TLS-based protocol and a distinctive magic identifier used in communications. From this work, researchers extracted indicators of compromise to support hunting and detection.
Mitigation
Defenders should look for QLNX by monitoring for its unique mutex lock file, suspicious LD_PRELOAD entries, and unusual gcc compilation commands that generate malicious shared objects. Organizations should also block execution of unknown binaries named quasar-implant and restrict write access to /etc/ld.so.preload. Multi-factor authentication should be enforced for developer accounts, and security teams should monitor closely for attempts to exfiltrate credential stores and sensitive token files.
Response
If QLNX indicators are found, isolate the affected system immediately, collect memory and disk images, and terminate the malicious process. Remove unauthorized entries from /etc/ld.so.preload, delete the compiled malicious .so files,…
