Security researchers at Trend Micro have identified Quasar Linux RAT (QLNX), a sophisticated, memory-resident malware designed to compromise developer environments through advanced credential theft and stealthy persistence mechanisms.

Key Points

• QLNX operates entirely in memory using memfd_create to avoid leaving traces on the disk.
• The malware employs eBPF and LD_PRELOAD rootkits to hide processes, files, and network activity from system administrators.
• It features a PAM backdoor that intercepts plaintext credentials and supports seven distinct persistence methods, including systemd services and cron jobs.
• The implant targets software development workflows to steal SSH keys, browser profiles, cloud tokens, and clipboard data.
• A built-in peer-to-peer mesh network allows infected hosts to relay commands, increasing resilience against command-and-control infrastructure disruption.

Why it Matters

This malware poses a significant supply chain risk by specifically targeting the high-privilege systems used in software development and DevOps environments. Its ability to chain multiple evasion techniques makes it exceptionally difficult to detect and remove, potentially leading to widespread unauthorized access to sensitive source code and cloud infrastructure.