Quasar Linux (QLNX) is a previously undocumented Linux implant targeting developersβ systems and DevOps environments with a blend of rootkit, backdoor, and credential-stealing capabilities. Trend Micro analysis shows QLNX compiles rootkit components on the host, runs fileless and in-memory for stealth, and uses multiple persistence mechanisms across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. #QuasarLinux #TrendMicro
Keypoints
- QLNX targets development and DevOps platforms including npm, PyPI, GitHub, AWS, Docker, and Kubernetes.
- The malware dynamically compiles rootkit shared objects and PAM backdoor modules on the target using gcc.
- It operates filelessly and in-memory, wipes logs, spoofs processes, and employs seven persistence mechanisms for long-term stealth.
- Modular capabilities include a 58-command RAT, dual-layer rootkit (LD_PRELOAD and eBPF), credential harvesting, surveillance, networking, and injection engines.
- Trend Micro released IoCs to help defenders, but attribution, deployment scale, and widespread detection remain unclear.