VYPR
researchPublished May 5, 2026· Updated May 17, 2026· 1 source

New 'Quasar Linux' Malware Targets Developers with Advanced Rootkit Capabilities

A newly discovered Linux malware strain called Quasar Linux (QLNX) is targeting software developers with a sophisticated suite of rootkit, backdoor, and credential-stealing tools designed for long-term, stealthy persistence.

A sophisticated new Linux-based malware strain, dubbed Quasar Linux (QLNX), has been identified targeting software developers and DevOps environments. According to researchers at Trend Micro, the implant is designed for long-term persistence and stealth, utilizing a modular architecture that includes rootkit capabilities, a backdoor, and extensive credential-harvesting features BleepingComputer.

The malware is specifically engineered to compromise development ecosystems, including npm, PyPI, GitHub, AWS, Docker, and Kubernetes. By infiltrating these environments, attackers can potentially facilitate supply-chain attacks by injecting malicious code into software distribution platforms. A key feature of QLNX is its ability to compile its own rootkit shared objects and PAM backdoor modules directly on the target host using the GNU Compiler Collection (gcc), allowing it to adapt to the specific environment BleepingComputer.

To maintain a low profile, QLNX operates primarily in-memory, deleting its original binary from the disk, wiping system logs, and spoofing process names. It employs seven distinct persistence mechanisms, such as LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection, ensuring that the malware remains active even if individual processes are terminated BleepingComputer.

The implant’s functionality is divided into several specialized modules. Its Remote Access Trojan (RAT) core supports 58 commands for interactive shell access and system control. The rootkit component is particularly advanced, utilizing a dual-layer approach: a userland LD_PRELOAD hook to hide files and processes, and a kernel-level eBPF component to conceal PIDs, file paths, and network ports. Additionally, the malware includes modules for keylogging, screenshot capture, credential harvesting—including SSH keys and /etc/shadow files—and lateral movement via SSH and SOCKS proxies BleepingComputer.

As of early May 2026, the threat remains highly elusive, with only four security solutions capable of flagging the binary as malicious BleepingComputer. Trend Micro has released indicators of compromise (IoCs) to assist organizations in identifying potential infections, though the firm has not yet attributed the malware to a specific threat actor or provided data on the scale of its deployment in the wild BleepingComputer.

The emergence of QLNX highlights a growing trend of attackers focusing on developer workstations to bypass enterprise security perimeters. By capturing credentials that underpin software delivery pipelines, threat actors can gain deep access to corporate infrastructure, mirroring recent high-profile supply chain compromises. Security teams are encouraged to monitor for unauthorized compilation activity and unusual persistence configurations to mitigate the risk posed by this stealthy implant BleepingComputer.

Synthesized by Vypr AI