top of page
perceptive_background_267k.jpg

New stealthy Quasar Linux malware targets software developers

Published:

5 May 2026 at 22:01:39

Alert date:

5 May 2026 at 23:00:45

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Supply Chain & Dependencies

A previously undocumented Linux implant named Quasar Linux (QLNX) has been discovered targeting software developers' systems. The malware combines rootkit, backdoor, and credential-stealing capabilities in a stealthy attack campaign. This represents a significant threat to the software development community as it specifically targets developers who often have access to sensitive code repositories and development infrastructure. The malware's multi-faceted approach including rootkit functionality makes it particularly concerning for maintaining persistent access to compromised systems.

Technical details

Quasar Linux (QLNX) is a sophisticated Linux implant that combines rootkit, backdoor, and credential-stealing capabilities. It dynamically compiles rootkit shared objects and PAM backdoor modules on target hosts using gcc. The malware runs in-memory, deletes original binaries, wipes logs, spoofs process names, and clears forensic environment variables. It uses seven persistence mechanisms including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection. Core components include: RAT core with 58-command framework, dual-layer rootkit (userland LD_PRELOAD and kernel-level eBPF), credential access layer, surveillance module, networking and lateral movement capabilities, execution and injection engine, and filesystem monitoring via inotify. The malware establishes fileless foothold and targets development environments including npm, PyPI, GitHub, AWS, Docker, and Kubernetes.

Mitigation steps:

Use indicators of compromise (IoCs) provided by Trend Micro to detect QLNX infections and protect against them. Monitor development and DevOps environments for suspicious activities. Implement security controls to protect developer workstations and credentials that underpin software delivery pipelines.

Affected products:

Linux systems
npm
PyPI
GitHub
AWS
Docker
Kubernetes
Developer workstations
DevOps environments

Related links:

https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page