Sophisticated Quasar Linux RAT Campaign Targets Software Developers in Supply Chain Attacks
Sophisticated Quasar Linux RAT Campaign Targets Software Developers in Supply Chain Attacks
Publish Date: 2026-05-06 07:09:00
Source Domain: www.cxodigitalpulse.com
Cybersecurity researchers have uncovered a sophisticated Linux-based remote access trojan (RAT) known as Quasar Linux, or QLNX, that is actively targeting software developers and engineering environments. The malware is designed to steal credentials, maintain persistent remote access, and potentially facilitate larger supply chain attacks.
According to researchers, the malware demonstrates advanced persistence and evasion capabilities, allowing attackers to quietly maintain long-term access within compromised systems. Once installed, the RAT enables remote command execution, surveillance, credential theft, and exfiltration of sensitive development data, making developer environments a primary target.
The campaign appears closely linked to broader supply chain attack activity involving trojanized software installers and compromised developer ecosystems. Researchers recently connected related operations to malicious versions of Daemon Tools, where attackers injected backdoors into legitimate software distributed through official channels.
In the Daemon Tools campaign, attackers reportedly compromised signed binaries and used them to distribute malware globally across more than 100 countries. While thousands of systems received initial payloads, only a select number of high-value targets—including government, scientific, manufacturing, and retail organizations—received more advanced implants such as QUIC RAT and Quasar Linux components.
Security researchers believe the attackers used staged deployment techniques, first collecting system information at scale before selectively deploying advanced malware only to systems of strategic interest. This targeted approach suggests possible cyberespionage objectives rather than indiscriminate cybercrime.
The malware’s focus on developers is particularly concerning because compromised engineering environments can provide attackers with access to source code, signing keys, CI/CD pipelines, cloud infrastructure…
