Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities

What Happened

Security researchers have discovered a new malicious program called Quasar Linux (QLNX) that targets Linux computers. Software developers and IT operations staff are the primary targets of this attack. The malware steals passwords and access tokens for cloud services and code repositories, which could allow attackers to secretly insert malicious code into legitimate software updates. Organizations should monitor their Linux environments for unusual activity, secure developer credentials in dedicated password managers, and ensure workstations have strong security software installed.

Key Takeaways

• QLNX is a comprehensive Linux RAT featuring fileless execution, eBPF/LD_PRELOAD rootkits, and a PAM backdoor.
• It heavily targets developer and DevOps credentials (NPM, PyPI, AWS, Kubernetes, Docker) to facilitate software supply chain attacks.
• The malware dynamically compiles its rootkit and PAM backdoor modules on the target host using gcc and deploys them via /etc/ld.so.preload.
• It establishes a resilient P2P mesh network and communicates via a custom TCP protocol over TLS, HTTP, or HTTPS using the magic identifier 'QLNX'.

Affected Systems

• Linux operating systems
• Developer workstations
• DevOps environments

Attack Chain

QLNX executes filelessly from memory using memfd_create and deletes its original binary from disk. It profiles the system, spoofs its process name to mimic kernel threads, and establishes persistence via multiple methods including systemd, crontab, and dynamically compiled LD_PRELOAD shared objects. The malware deploys a PAM backdoor to intercept plaintext credentials and an eBPF/LD_PRELOAD rootkit to hide its processes, files, and network connections. Finally, it conducts extensive credential harvesting targeting developer tools and cloud environments, exfiltrating the data to a C2 server via a custom TCP/TLS protocol.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Trend Vision One

Trend Vision One provides custom hunting queries and runtime detection rules (e.g., HTTP/TCP Backdoor.Linux.QLNX.A) to identify QLNX activity.

Detection Engineering Assessment

EDR Visibility: Medium — Fileless execution via memfd_create and process name spoofing can evade basic monitoring, while the eBPF and LD_PRELOAD rootkits actively hide processes and files from userland tools. However, the compilation of .so files via gcc and modifications to /etc/ld.so.preload are highly visible. Network Visibility: Medium — Traffic is encrypted via TLS or Base64-encoded over HTTP/HTTPS. However, the custom TCP protocol uses a distinct 4-byte magic header ('QLNX') which can be signatured if TLS inspection is active or if the fallback HTTP channel is used. Detection Difficulty: Hard — The malware's use of eBPF to hide from the kernel directly, combined with userland LD_PRELOAD hooking and fileless execution, makes post-infection detection on the endpoint very difficult without specialized memory or eBPF monitoring.

Required Log Sources

• Process Creation (execve)
• File Modification (auditd/sysmon for Linux)
• Network Connections
• Authentication Logs (PAM)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for instances of the 'gcc' compiler being invoked to create shared objects (.so) in world-writable or temporary directories like /tmp, which may indicate on-target compilation of rootkits or backdoors.	Process execution logs (e.g., auditd, Sysmon for Linux) looking for 'gcc' with '-shared' and '-fPIC' arguments.	Defense Evasion	Medium
Monitor for unauthorized modifications to /etc/ld.so.preload, as this is a common technique for loading userland rootkits.	File integrity monitoring (FIM) or auditd logs monitoring write access to /etc/ld.so.preload.	Persistence	Low
Detect processes executing from memory-backed files (memfd) that attempt to delete their original on-disk binary.	Process execution logs showing paths containing 'memfd:' or '(deleted)'.	Execution	Medium

Control Gaps

• Lack of eBPF map monitoring
• Insufficient visibility into PAM module integrity
• Missing TLS inspection for custom protocols

Key Behavioral Indicators

• Process names mimicking kernel threads (e.g., [kworker/0:0]) but running in user space
• Creation of hidden lock files like /tmp/.X<hex>-lock
• Presence of the string 'QLNX_MANAGED' in systemd services or crontabs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Isolate suspected compromised developer workstations from the network.
• Revoke and rotate all cloud, repository, and infrastructure credentials (AWS, NPM, PyPI, GitHub, Kubernetes) that were present on affected machines.
• Check /etc/ld.so.preload for unauthorized entries and remove them before attempting to kill malicious processes to prevent respawning.

Infrastructure Hardening

• Implement File Integrity Monitoring (FIM) on critical system files like /etc/ld.so.preload, /etc/shadow, and PAM configuration directories.
• Restrict the availability of compilers (e.g., gcc) on production servers and standard developer endpoints where not strictly necessary.
• Enforce SELinux or AppArmor in enforcing mode to restrict unauthorized process injection and file access.

User Protection

• Deploy advanced EDR solutions capable of detecting fileless execution (memfd_create) and eBPF-based rootkits.
• Store developer secrets in secure, centralized secret managers rather than plaintext files (.env, .npmrc, etc.) on disk.

Security Awareness

• Train developers on the risks of supply chain attacks and the importance of securing local credential files.
• Implement strict policies against storing long-lived access tokens on local workstations.

MITRE ATT&CK Mapping

• T1620 - Reflective Code Loading
• T1070.004 - Indicator Removal: File Deletion
• T1036.004 - Masquerading: Task or Service
• T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking
• T1014 - Rootkit
• T1543.002 - Create or Modify System Process: Systemd Service
• T1053.003 - Scheduled Task/Job: Cron
• T1556.003 - Modify Authentication Process: Pluggable Authentication Modules
• T1552.004 - Unsecured Credentials: Private Keys
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1115 - Clipboard Data
• T1056.001 - Input Capture: Keylogging
• T1090.003 - Proxy: Multi-hop Proxy

Additional IOCs

• Domains:
  • ip-api[.]com - Legitimate geolocation service abused by QLNX to profile infected hosts
• File Hashes:
  • 70f70743f287a837d17c56933152a8a6 (MD5) - Quasar-implant main binary
  • b0f2c668cbdd63a871c90592b6c93e931115872e (SHA1) - Quasar-implant main binary
  • C99CF0DC1EF1057D713CB082ACAF42E4DF4656809C91741752BDDCAB39BBFACA (SHA256) - hide_src_39ZzHo.c (Rootkit source code dropper)
  • EA89CAAB82181881D971BE312412795051F6322B105C8B9D29CFB5729FAB8D33 (SHA256) - pam_src_51YyC3.c (PAM backdoor source code dropper)
  • 417430b2d4ae8d005224a9ff5dcb4007d452338acbcbcbb62c4e8ed1a70552dd (SHA256) - libpam_cache.so (PAM credential logger)
  • d55549d5655e2f202e215676f4bdb0994ea08a93d15ec4ded413f64cfa7facc8 (SHA256) - pcs_a3kf9x.c (PAM credential logger source code dropper)
• File Paths:
  • /usr/lib/libsecurity_utils.so.1 - LD_PRELOAD rootkit shared object
  • /usr/lib/.libpam_cache.so - PAM credential hook shared object
  • /etc/ld.so.preload - System file modified to load the rootkit and PAM backdoor
  • /tmp/.pam_cache - Plaintext credential log file
  • ~/.config/systemd/user/quasar_linux.service - Systemd user service persistence file
  • ~/.config/autostart/quasar_linux.desktop - XDG autostart persistence file
  • /etc/systemd/system/quasar_linux.service - Systemd system service persistence file
  • /etc/init.d/quasar_linux - init.d script persistence file
• Command Lines:
  • Purpose: Compiles the LD_PRELOAD rootkit directly on the target host | Tools: gcc | Stage: Defense Evasion
  • Purpose: Captures the current X11 clipboard contents | Tools: xclip, xsel | Stage: Collection | xclip -selection clipboard -o
• Other:
  • QLNX_MANAGED - String embedded as a comment in malware persistence artifacts (services, crontabs, scripts)