Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence
Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence
Publish Date: 2026-05-09 09:13:00
Source Domain: securityaffairs.com
Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence
Pierluigi Paganini
May 09, 2026
Researchers uncovered QLNX, a Linux RAT targeting developers to steal credentials, log keystrokes, monitor systems, and enable remote access.
Security researchers discovered a previously undocumented Linux malware called Quasar Linux RAT (QLNX) that targets developers and DevOps environments. The malicious code can steal credentials, log keystrokes, manipulate files, monitor clipboard activity, and create network tunnels for remote access. Experts warn it poses a serious supply chain risk by targeting systems used in software development workflows.
“Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features. The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.” reads the report published by Trend Micro. “It dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc, then deploys them via /etc/ld.so.preload for system-wide interception.”
QLNX is a powerful Linux remote access trojan that runs directly from memory to avoid detection, hides its activity using eBPF, wipes logs, and checks whether it is running inside containerized environments. It collects extensive information, including system details, clipboard data, shell history, SSH keys, Firefox profiles, and credentials through a malicious PAM module.
QLNX communicates with attackers through encrypted channels and supports a wide range of commands, including remote shell access, file management, code injection, screenshot capture, keylogging, SOCKS proxies, and network tunneling. The malware also includes several persistence methods, allowing it to survive reboots and…
