Quasar Linux RAT targets developers, steals credentials

Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim detailed a previously undocumented Linux implant they call Quasar Linux RAT, or QLNX, in a recent technical analysis. The implant targets developer and DevOps systems to collect credentials and maintain long-term access.

QLNX harvests secrets from many developer artifacts, including .npmrc and .pypirc files, .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens and .env files. Control of a package maintainer’s environment could allow an attacker to publish malicious packages to NPM or PyPI and move through CI/CD pipelines.

The researchers did not determine how the implant first gains access. After installation, QLNX executes filelessly from memory and disguises itself as a kernel thread, using names such as kworker or ksoftirqd. The implant can profile hosts to detect containerized environments and remove system logs to hinder detection.

Operators can use 58 distinct commands included with QLNX. The toolkit enables shell command execution, file management, code injection, screenshot capture, keystroke logging, clipboard monitoring, and the creation of SOCKS proxies and TCP tunnels. The implant can run Beacon Object Files, operate a peer-to-peer mesh, and exfiltrate collected data to attacker-controlled infrastructure.

QLNX keeps contact with command-and-control servers over raw TCP, HTTPS and HTTP and runs a persistent loop to reestablish connections if they are lost.

To hide and persist, the implant uses at least seven persistence methods, including systemd units, crontab entries and .bashrc shell injection. It employs a two-tier rootkit architecture: a userland rootkit loaded via LD_PRELOAD to conceal files and processes, and a kernel-level eBPF component that can hide processes, files and network ports from standard tools such as ps, ls and netstat when instructed.

The implant also includes Pluggable Authentication Module backdoors. One intercepts plaintext credentials during login events and logs outbound SSH session data for transmission to the C2 servers. A second PAM-based logger is loaded into every dynamically linked process to capture service names, usernames and authentication tokens as they are used.

Trend Micro published technical details and indicators of compromise alongside the analysis. The researchers wrote: “The QLNX implant was built for long-term stealth and credential theft,” and described how its capabilities work together to persist and harvest high-value secrets.

The report advises that organizations managing packages or CI/CD systems, and teams that store cloud or container tokens on developer workstations, should audit systems for unexpected processes and network connections, rotate exposed credentials, limit the use of long-lived tokens, and enable multi-factor authentication where possible.