Linux rootkit, macOS crypto stealer and WebSocket skimmers

Researchers have identified three active campaigns targeting enterprise environments: a Linux remote access trojan that includes a kernel rootkit and peer-to-peer command channels; a macOS cryptocurrency stealer delivered as a fake video‑conferencing app; and obfuscated WebSocket backdoors used to inject credit‑card skimmers into e‑commerce pages.

Analysis by Trend Micro found Quasar Linux, or QLNX, is a modular RAT that combines a kernel‑level LD_PRELOAD rootkit, a PAM‑based authentication backdoor and persistence features. The binary embeds C source for the backdoor and rootkit, masks malicious processes under names that mimic system services, and uses a peer‑to‑peer mesh so infected hosts can relay commands and share data without centralized servers.

Analysis by Doctor Web identified JobStealer as a macOS information stealer distributed through malicious websites and social channels under the guise of video‑conferencing tools. Operators create supporting Telegram channels and landing pages to lure candidates with promises of online interviews. Installers drop software that harvests cryptocurrency wallet data and other files. Some versions ask users to paste terminal commands that fetch and run a loader, removing the need to ship an obvious malicious binary.

Research from Palo Alto Networks Unit 42 uncovered obfuscated JavaScript that creates WebSocket backdoors on hundreds of compromised sites. The WebSocket channels deliver obfuscated payloads that execute dynamically to inject credit‑card skimmers into checkout pages. Stolen payment data is exfiltrated to attacker‑controlled command‑and‑control domains.

The three campaigns affect different parts of enterprise infrastructure. QLNX targets Linux servers and cloud hosts where privileged access can enable lateral movement and credential theft. JobStealer targets end users during hiring or interview workflows. WebSocket backdoors target customer‑facing websites to capture payment information.

The operations rely on several techniques: poisoned installers and supply‑chain tampering, abuse of native utilities and legitimate management tools, social engineering lures and ClickFix‑style commands, code obfuscation and decentralized command channels. These methods allow attackers to hide malicious activity, reduce dependence on central servers, and deliver dynamic payloads that evade simple signature scans.

In its analysis, Trend Micro described QLNX as “a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features.” Unit 42 wrote, “Obfuscated JavaScript creates a WebSocket backdoor using dynamically executed JavaScript.”