Security researchers have discovered a new Linux malware campaign targeting software developers and DevOps infrastructure. The malware, known as Quasar Linux or QLNX, combines extensive espionage capabilities with techniques designed to remain hidden on infected systems for extended periods.
Researchers at Trend Micro describe QLNX as a modular platform that combines rootkit functionality, remote access, and credential theft, among other capabilities. The malware is reportedly being actively deployed in environments where developers work with services and platforms such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes, BleepingComputer reports. According to the researchers, this poses a risk of supply-chain attacks, in which malicious actors distribute malware through popular code distribution channels.
Stealth techniques hinder detection
A notable feature of the malware is its attempts to evade detection. QLNX runs primarily in system memory and erases traces of its presence by clearing log files and altering process names. The malware also compiles certain components directly on the infected system, including rootkit components and PAM modules for intercepting authentication data.
According to Trend Micro, QLNX employs multiple methods to remain active, even after processes are terminated or systems are rebooted. To do so, the malware leverages various Linux mechanisms, including systemd services, cron jobs, init scripts, and modifications to bash configuration files. This allows the malware to embed itself deep within the system.
QLNX’s functionality extends beyond just persistent access. The malware includes capabilities for keylogging, taking screenshots, and monitoring clipboard content. Additionally, it can collect system data, steal SSH keys, and gain access to cloud configurations and browser data. Files such as /etc/shadow, where encrypted passwords are stored on Linux systems, are also among the targets.
Network functionality increases the risk of lateral movement
On the network level, QLNX supports, among other things, tunneling, SOCKS proxy functionality, and lateral movement via SSH. This allows attackers to spread further within a network after an initial system has been compromised. Process injection and executing code directly in memory are also possible.
The researchers warn that developer workstations are attractive targets because they often have access to software repositories, CI/CD pipelines, and cloud environments. Stolen developer credentials can then be exploited to publish tampered software packages or infiltrate internal infrastructure.
Trend Micro has not yet shared details about specific attacks or the group behind the malware. As a result, the exact extent of QLNX’s current spread remains unclear. However, the researchers report that the malware is currently detected by only a limited number of security solutions, increasing the likelihood that infections will go unnoticed.