"QLNX targets developers and DevOps credentials across the software supply chain," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said, summing up a malware implant that the company says was built to steal the kinds of secrets that grant supply-chain control.
Quasar Linux RAT: stealth, persistence, and control
Quasar Linux RAT (QLNX) is a previously undocumented Linux implant that, according to Trend Micro, executes filelessly from memory and masquerades as kernel threads such as kworker or ksoftirqd. Once resident, the implant aggressively maintains access: it runs a persistent loop that continuously attempts to reach a command‑and‑control (C2) server over raw TCP, HTTPS, and HTTP, supports 58 distinct commands, and exfiltrates harvested data to attacker‑controlled infrastructure.
The implant includes multiple mechanisms for long‑term access and concealment. Trend Micro's analysis states QLNX can wipe system logs to cover its tracks and establish persistence using "no less than seven different methods, including systemd, crontab, and .bashrc shell injection." In its technical summary the company also characterized the implant succinctly: "arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most."
Credential harvesting: the files and tokens under attack
Trend Micro highlights that QLNX's credential harvester targets a broad set of high‑value developer assets. Files and tokens named in the report include .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The company warns that compromising those assets could allow operators to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines.
Evasion and rootkit tactics: userspace LD_PRELOAD and eBPF kernel concealment
QLNX employs a two‑tiered rootkit architecture. At userspace it deploys a rootkit through the dynamic linker's LD_PRELOAD mechanism to hide artifacts and processes from standard tools. At kernel level the implant leverages an eBPF component that uses the BPF subsystem to conceal processes, files, and network ports from userland commands such as ps, ls, and netstat when instructed by the C2 server. Trend Micro's account emphasizes that the combined effect is persistent, hard‑to‑detect stealth.
PAM backdoors, session logging, and broad post‑compromise abilities
Beyond file harvesting and concealment, QLNX installs Pluggable Authentication Module (PAM) components that intercept and siphon credentials. One PAM inline‑hook backdoor intercepts plaintext credentials during authentication, logs outbound SSH session data, and forwards that data to the C2 server. A second PAM‑based credentials logger is automatically loaded into every dynamically linked process to extract the service name, username, and authentication token.
The implant's command set gives operators a wide range of post‑compromise options: execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, monitor the clipboard, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and operate a peer‑to‑peer mesh network. Trend Micro's researchers describe a coherent workflow in which stealth and credential theft enable long‑term control of developer systems and their connected pipelines.
What this means for package maintainers, cloud teams, and DevOps
- Package maintainers: The report directly links credential theft to the ability to "push malicious packages to NPM or PyPI registries." Maintainers who hold publishing tokens or credentials are the specific targets Trend Micro identifies.
- Cloud and infrastructure teams: The harvest list explicitly includes .aws/credentials and .kube/config, assets that the researchers say could permit access to cloud infrastructure and enable lateral movement through CI/CD.
- DevOps and CI/CD operators: The implant's ability to persist, conceal itself at both userspace and kernel levels, and pivot through pipelines creates the conditions for poisoned builds or automated propagation inside continuous integration systems.
Trend Micro's analysis frames the danger not as a single novel trick but as a chain: infiltration, erase‑and‑hide, redundant persistence, kernel and userspace concealment, and targeted theft of the credentials that gatekeep publishing and infrastructure. Exactly how QLNX is delivered remains unclear in the company's writeup; what is plain is the breadth of tools an operator gains after a single successful foothold.




