Sophisticated Quasar Linux Malware Threats Targeting Software Developers

A Sophisticated Malware Threat: Quasar Linux (QLNX)

Trend Micro researchers have uncovered a complex Linux backdoor, known as Quasar Linux (QLNX), specifically designed to target software developers. Its primary goal is to steal sensitive credentials, granting attackers access to development tools, cloud environments, and repositories.

Credentials Targeted by QLNX:

• AWS credentials and configurations
• Kubernetes tokens
• Docker Hub credentials
• Git access tokens and configurations
• NPM authentication tokens
• PyPI API keys

These stolen credentials allow attackers to compromise the software supply chain by publishing malicious packages through established developer accounts. They can gain unauthorized access to development pipelines, inject backdoors into build artifacts, or pivot into cloud environments containing production infrastructure.

Persistence Methods Employed by QLNX:

• Crontab entries
• Init scripts
• Service files
• Shell lines

“The attackers’ ability to deploy multiple persistence methods on the same system makes it challenging to detect and remove the malware,” said the researchers.

QLNX maintains stealth through a two-tier rootkit architecture, employing userspace hooks via the LD_PRELOAD shared library and an eBPF rootkit controller managing kernel-level BPF maps. This allows the implant to conceal processes, files, and network ports from standard userland tools.

Commands Supported by QLNX:

• Interact with shells
• Enumerate and manipulate files and processes
• Create directories
• Execute arbitrary commands

This sophisticated malware emphasizes the importance of robust security measures and regular updates to counter emerging risks.

About Author

Vaibhav

See author's posts