{"id":241199,"date":"2026-05-06T12:25:00","date_gmt":"2026-05-06T16:25:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/quasar-linux-qlnx-a-supply-chain-foothold-with-full-rat-capabilities\/"},"modified":"2026-05-07T16:05:14","modified_gmt":"2026-05-07T20:05:14","slug":"quasar-linux-qlnx-a-supply-chain-foothold-with-full-rat-capabilities","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/quasar-linux-qlnx-a-supply-chain-foothold-with-full-rat-capabilities\/","title":{"rendered":"Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities"},"content":{"rendered":"<p><a href=\"https:\/\/socprime.com\/active-threats\/qlnx-linux-rat-uses-rootkit-and-pam-backdoor\/\">Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities<\/a><\/p>\n<p><a href=\"https:\/\/socprime.com\/active-threats\/qlnx-linux-rat-uses-rootkit-and-pam-backdoor\/\">https:\/\/socprime.com\/active-threats\/qlnx-linux-rat-uses-rootkit-and-pam-backdoor\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-06 12:25:00<\/a><\/p>\n<p>Source Domain: <a href=\"socprime.com\">socprime.com<\/a><\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Summary\"\/>Summary<span class=\"ez-toc-section-end\"\/><\/h2>\n<p>Quasar Linux (QLNX) is an advanced Linux remote access trojan that combines a user-space and eBPF rootkit with a PAM backdoor and broad credential-harvesting capabilities. The malware supports fileless execution, process name masquerading, and several persistence techniques that help it remain hidden on infected systems. Its focus on developer workstations makes it especially dangerous for supply-chain abuse, as it can steal tokens, SSH keys, and cloud credentials. The malware also uses encrypted communications and supports a peer-to-peer mesh architecture to improve resilience and maintain access.<\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Investigation\"\/>Investigation<span class=\"ez-toc-section-end\"\/><\/h2>\n<p>Trend Micro researchers obtained the QLNX binary and conducted both static and dynamic analysis, uncovering embedded source code for the rootkit and PAM backdoor components. Their investigation documented the malware\u2019s ability to compile components directly on the target host, the range of persistence mechanisms it uses, and the full command set supported by the implant. Network analysis also revealed a custom TLS-based protocol and a distinctive magic identifier used in communications. From this work, researchers extracted indicators of compromise to support hunting and detection.<\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Mitigation\"\/>Mitigation<span class=\"ez-toc-section-end\"\/><\/h2>\n<p>Defenders should look for QLNX by monitoring for its unique mutex lock file, suspicious LD_PRELOAD entries, and unusual gcc compilation commands that generate malicious shared objects. Organizations should also block execution of unknown binaries named quasar-implant and restrict write access to \/etc\/ld.so.preload. Multi-factor authentication should be enforced for developer accounts, and security teams should monitor closely for attempts to exfiltrate credential stores and sensitive token files.<\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Response\"\/>Response<span class=\"ez-toc-section-end\"\/><\/h2>\n<p>If QLNX indicators are found, isolate the affected system immediately, collect memory and disk images, and terminate the malicious process. Remove unauthorized entries from \/etc\/ld.so.preload, delete the compiled malicious .so files,&#8230;<\/p>\n<p><a href=\"https:\/\/socprime.com\/active-threats\/qlnx-linux-rat-uses-rootkit-and-pam-backdoor\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities https:\/\/socprime.com\/active-threats\/qlnx-linux-rat-uses-rootkit-and-pam-backdoor\/ Publish Date: 2026-05-06&#8230;<\/p>\n","protected":false},"author":1,"featured_media":241200,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/socprime.com\/wp-content\/uploads\/Image_bg.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,57],"class_list":["post-241199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241199"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=241199"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241199\/revisions"}],"predecessor-version":[{"id":241201,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241199\/revisions\/241201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/241200"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=241199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=241199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=241199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}