RESEARCHERS have uncovered Quasar Linux RAT (QLNX), a fileless Linux implant that targets developers and DevOps environments to steal credentials, log keystrokes, monitor systems, and provide remote access. The malware runs directly from memory, uses LD_PRELOAD-based injection and an in-memory rootkit, and can copy itself into RAM-backed storage to relaunch from memory after deletion.
It hides by rewriting process metadata, evades detection with eBPF, wipes logs, and performs checks to adapt its capabilities based on system profiling, including containerisation, kernel version, and SELinux status.
The persistence subsystem offers multiple methods—seven in total, including systemd services, cron jobs, init scripts, XDG autostart entries, and LD_PRELOAD techniques—with artifacts tagged as “QLNX_MANAGED.” Notably, two PAM backdoors, compiled on target systems, enable credential harvesting and authentication interception, with a hardcoded master password and plaintext credential harvesting to /var/log/.ICE-unix.
The campaign also features a P2P mesh to link infected hosts, increasing resilience and complicating eradication, and communications to the C2 use a TLS-based protocol, plus HTTPS or HTTP, with session handshakes beginning after a four-byte magic value “QLNX.” according to Trend Micro.