Skip to content
Tech News
← Back to articles

New stealthy Quasar Linux malware targets software developers

2026-05-05 | original
read original get Linux Malware Detection Tool → more articles
Why This Matters

The discovery of Quasar Linux malware highlights the increasing sophistication of cyber threats targeting development environments, emphasizing the need for enhanced security measures in supply chain and DevOps workflows. Its stealthy design and persistence techniques pose significant risks for long-term undetected access and data theft, impacting both industry security and consumer trust.

Key Takeaways

A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities.

The malware kit is deployed in development and DevOps environments in npm, PyPI, GitHub, AWS, Docker, and Kubernetes. This could enable supply-chain attacks where the threat actor publishes malicious packages on code distribution platforms.

Researchers at cybersecurity company Trend Micro analyzed the QLNX implant and found that "it dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc [GNU Compiler Collection]."

A report from the company this week notes that QLNX was designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables.

The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed.

Overview of QLNX's persistence mechanisms

Source: Trend Micro

QLNX features multiple functional blocks dedicated to specific activities, making it a complete attack tool. Its core components can be summarized as follows:

RAT core — Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels.

— Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels. Rootkit — Dual-layer stealth mechanism combining a userland LD_PRELOAD rootkit and a kernel-level eBPF component. The userland layer hooks libc functions to hide files, processes, and malware artifacts, while the eBPF layer conceals PIDs, file paths, and network ports at the kernel level. Both are deployed dynamically, with the userland rootkit compiled on the target system.

... continue reading

Explore topics: quasar linux rootkit github aws docker
Related:
PlayStation users could get paid from a $7.85 million settlement. Here’s who qualifies
Show HN: Red Squares – GitHub outages as contributions
10 trillion downloads are crushing open-source repositories - here's what they're doing about it
Update on "Co-authored-by: Copilot" in commit messages
Apple Settles Alleged False Advertising Suit Over AI-Powered Siri

© 2026 GoKawiil

About | Editorial Policy | Contact