"Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features," Trend Micro said.
Quasar Linux (QLNX): kernel rootkit, PAM backdoors, and a P2P mesh
Trend Micro’s analysis describes a newly observed Linux remote access trojan called Quasar Linux, or QLNX, that blends several durable techniques into a single package. The malware carries embedded C source code for both a PAM-based backdoor and an LD_PRELOAD rootkit, hides processes under names that mimic legitimate services, and includes keylogging and credential-harvesting modules. What makes QLNX operationally notable is a peer-to-peer mesh capability: infected hosts communicate with each other rather than relying solely on centralized servers, a design that "turns individual compromises into an interconnected infection network" and makes takedown harder.
Palo Alto PAN-OS CVE-2026-0300 and the scale of exposure
Palo Alto Networks disclosed a memory corruption vulnerability in PAN-OS tracked as CVE-2026-0300 that affects the product’s authentication portal and can allow unauthenticated attackers to run code with root privileges on PA-Series and VM-Series firewalls. The vendor said threat actors may have attempted to exploit a recently disclosed critical flaw as early as April 9, 2026, and that patches are expected to begin rolling out on May 13, 2026. Attack surface management platform Censys reported about 263,000 Internet-exposed hosts running PAN-OS, underscoring the size of the potentially reachable attack surface.
Supply-chain and download compromises: DAEMON Tools, JDownloader, and QUIC RAT
Two separate supply-chain compromises described this week show different operational goals. Kaspersky reported that compromised installers of DAEMON Tools distributed a data miner broadly, while a second, selective shellcode loader delivered an implant dubbed QUIC RAT to a small set of targets — including one known educational institution in Russia. Kaspersky noted Chinese-language elements in the malicious code but did not attribute the campaign to a specific group.
Separately, the JDownloader website was tampered with on May 6, 2026 at 12:01 a.m. UTC to distribute malicious Windows and Linux installers. Researcher Thomas Klemenc said the Windows variant delivered a Python-based RAT that can enlist machines into a bot network and run arbitrary Python code supplied by an operator. JDownloader’s developer said the tampered downloads are missing digital signatures and that Microsoft SmartScreen will warn or block execution. Investigation identified an "unpatched security bug" as the attack vector, though the specific vulnerability was not disclosed.
WebSocket backdoors, skimmers, and abuse of legitimate tooling
Palo Alto Networks Unit 42 reported obfuscated WebSocket backdoors that send dynamically executed JavaScript payloads to inject credit-card skimmers into hundreds of compromised websites, exfiltrating card data to attacker C2 domains. Oasis Security described a separate, high‑impact vector in Cline’s Kanban server: an AI coding agent’s localhost WebSocket lacked origin validation and authentication, enabling any website a developer visited to connect silently, exfiltrate workspace data, and inject commands. The Kanban issue was fixed in Cline Kanban version 0.1.66 following responsible disclosure.
The broader pattern this week also highlights the deliberate abuse of legitimate remote management and development tooling. Reports note attackers weaponizing Remote Monitoring and Management products such as SimpleHelp and ScreenConnect for persistence, and using Cloudflare Workers, Dropbox, ZoomInfo, and Pipedream as building blocks in consent‑phishing and token‑capture toolkits like ConsentFix v3, according to Push Security.
What this means for security teams, cloud operators, and educational institutions
- Security teams: prioritize patching and exposure hunting for CVE‑2026‑0300 (PAN‑OS) and CVE‑2026‑6973 (Ivanti EPMM), and monitor telemetry for signs of P2P bot behavior and kernel‑level persistence that QLNX exhibits.
- Cloud operators and DevOps teams: watch for credential-harvesting campaigns like PCPJack that actively remove competing malware and spread via public cloud misconfigurations; the campaign’s use of Common Crawl parquet files for target discovery demonstrates attackers’ use of public datasets to find vulnerable endpoints.
- Educational institutions and software suppliers: review installer integrity and distribution channels after DAEMON Tools and JDownloader compromises; Instructure’s Canvas incident—where ShinyHunters claimed 3.65TB of data and 275 million records across nearly 9,000 organizations—shows how support‑ticket and "Free for Teacher" environments can be abused and may need immediate hardening or temporary suspension.
The week’s reporting reads like a catalogue of familiar, persistent problems: poisoned installers, unpatched memory‑corruption flaws, and clever re‑use of legitimate services as attack infrastructure. Mozilla’s disclosure that AI tools helped find and fix 423 Firefox security bugs in April 2026 — up from 31 a year earlier — is a reminder that defenders are also changing their toolkits; at the same time, adversaries keep recycling successful tradecraft such as ClickFix, WebSocket skimmers, and RMM abuse. Patches for several critical faults are due in mid‑May; the practical question now is not whether attackers will keep exploiting these vectors, but how quickly organizations will apply fixes and harden the routinely used channels that attackers continue to favor.
