Researchers uncovered QLNX, a Linux RAT targeting developers to steal credentials, log keystrokes, monitor systems, and enable remote access.
Security researchers discovered a previously undocumented Linux malware called Quasar Linux RAT (QLNX) that targets developers and DevOps environments. The malicious code can steal credentials, log keystrokes, manipulate files, monitor clipboard activity, and create network tunnels for remote access. Experts warn it poses a serious supply chain risk by targeting systems used in software development workflows.
“Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features. The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.” reads the report published by Trend Micro. “It dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc, then deploys them via /etc/ld.so.preload for system-wide interception.”
QLNX is a powerful Linux remote access trojan that runs directly from memory to avoid detection, hides its activity using eBPF, wipes logs, and checks whether it is running inside containerized environments. It collects extensive information, including system details, clipboard data, shell history, SSH keys, Firefox profiles, and credentials through a malicious PAM module.
QLNX communicates with attackers through encrypted channels and supports a wide range of commands, including remote shell access, file management, code injection, screenshot capture, keylogging, SOCKS proxies, and network tunneling. The malware also includes several persistence methods, allowing it to survive reboots and maintain long-term access to infected Linux systems.
QLNX is a sophisticated Linux malware designed to operate entirely from memory and avoid leaving traces on disk. After execution, it copies itself into a RAM-backed file using memfd_create, deletes the original binary, and re-launches directly from memory using execveat or /proc/self/fd/<memfd> as a fallback. It uses the _MFD_RE environment variable to prevent infinite re-execution loops.
The malware then profiles the infected system, checking privileges, kernel version, SELinux status, containerization, GCC availability, X11 access, and support for process injection or keylogging. Based on these results, it selectively enables capabilities.
To evade detection, QLNX disguises itself as legitimate kernel threads such as [kworker/0:0] and rewrites process metadata visible in ps, top, and /proc. It also removes forensic environment variables and prevents multiple instances by creating a fake X11 lock file in /tmp.
Once established, QLNX initializes 58 command handlers and connects to its C2 server over a custom TLS-based protocol, HTTPS, or HTTP. It sends a beacon containing system details, privilege level, geolocation, machine fingerprint, hostname, and network data. The malware supports extensive post-compromise functions including shell access, file management, persistence, credential theft, SSH lateral movement, screenshots, keylogging, rootkits, SOCKS proxies, port forwarding, log wiping, PAM credential hooks, eBPF hiding, and in-memory BOF execution.
QLNX supports three communication channels, raw TCP, HTTPS, and HTTP, all carrying the same binary command protocol. TCP and HTTPS are protected with TLS, while HTTP is used in plaintext during analysis or fallback scenarios.
Every session begins with the 4-byte magic value “QLNX” (0x51 4C 4E 58), which identifies and initializes the protocol. In TCP/TLS mode, it is embedded in the initial check-in packet; in HTTPS/HTTP, it is sent as a standalone payload or encoded in requests. After this, the server responds with session state data (e.g., cookies or IDs).
In the default raw TLS mode, QLNX uses a custom length-prefixed binary protocol after disabling certificate validation. A four-step handshake precedes full bidirectional communication, after which a persistent command loop is established.
For HTTP/HTTPS, the malware uses POST requests to send Base64-encoded data and GET requests to poll for commands every five seconds. Session tracking relies on a server-generated hex ID passed via URL and cookies. Before contacting the C2, it queries ip-api.com to obtain geolocation data, which is included in the initial registration packet alongside a machine fingerprint derived from system identifiers.
After registration, the server issues ACK and confirmation packets before enabling command execution. If no commands are available, responses remain empty; otherwise, Base64-encoded payloads are decoded, dispatched via a handler table, executed locally, and results are returned to the C2.
The persistence subsystem includes seven mechanisms such as systemd services, cron jobs, init scripts, XDG autostart entries, and LD_PRELOAD-based injection. Artifacts are tagged with “QLNX_MANAGED” for tracking.
LD_PRELOAD persistence is particularly aggressive: a compiled shared library is injected into all dynamically linked processes, ensuring reinfection on any program execution. Even basic commands like ls or ps can respawn the malware if the preload entry remains.
QLNX also implements two PAM backdoors that compile on the target system, enabling credential harvesting and authentication interception. Logs are stored in hidden files and optionally exfiltrated.
“QLNX incorporates a PAM backdoor with inline hooking, enabling plaintext credential interception during authentication. It uses the hardcoded master password O$$f$QtYJK and XOR-encrypted credential harvesting to /var/log/.ICE-unix.” cotinues the report.
A userland rootkit hides files, processes, and binaries by hooking libc functions via LD_PRELOAD, while an optional eBPF controller manipulates kernel maps to hide processes, files, and ports at kernel level.
Finally, a credential-stealing module extracts SSH keys, browser data, cloud tokens, developer credentials, system secrets, and clipboard content, enabling full compromise of development and cloud environments.
QLNX includes a peer-to-peer (P2P) mesh feature that links infected hosts together, turning individual implants into a distributed network. This design increases resilience because the malware can maintain communication and coordination even if parts of its command infrastructure are disrupted, making full removal from an environment significantly more difficult.
“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.” concludes the report. “The combination of the rootkit, the PAM backdoor capable of silently intercepting plaintext passwords, and the P2P mesh network allowing implants to relay through each other all compound the difficulty of detection and eradication.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
