Quasar Linux RAT (QLNX): A Fileless Implant Targeting Supply Chain with Stealth and Persistence
- May 9
- 4 min read
Key Findings
Researchers discovered QLNX, a previously undocumented Linux remote access trojan targeting developers and DevOps environments
The malware operates entirely from memory using memfd_create to avoid disk detection
QLNX includes embedded C source code for PAM backdoors and LD_PRELOAD rootkits that dynamically compile on target systems
The implant supports 58 command handlers including keylogging, credential theft, SSH lateral movement, and eBPF-based hiding
Communication occurs through encrypted TLS channels or HTTP/HTTPS with custom binary protocols
Multiple persistence mechanisms ensure long-term access across system reboots
The malware poses significant supply chain risk by targeting software development workflows
Background
Security researchers at Trend Micro uncovered QLNX, a comprehensive Linux implant designed with sophisticated evasion and persistence capabilities. The malware specifically targets developers and DevOps environments, making it a notable supply chain threat. Unlike traditional malware that leaves artifacts on disk, QLNX executes entirely from memory, making it particularly difficult to detect through standard forensic analysis. The discovery represents a significant escalation in Linux-focused attacks, combining remote access trojan functionality with advanced rootkit capabilities.
Fileless Execution and Memory Operations
QLNX achieves its stealthy execution model through several technical innovations. Upon launch, the malware uses memfd_create to copy itself into a RAM-backed file, deletes the original binary, and re-executes directly from memory using execveat or /proc/self/fd/<memfd> as a fallback mechanism. This approach ensures no persistent disk footprint remains after execution. The malware uses the _MFD_RE environment variable to prevent infinite re-execution loops. Before fully initializing, QLNX profiles the target system to determine available capabilities, checking privileges, kernel version, SELinux status, containerization, GCC availability, X11 access, and support for process injection or keylogging. Based on these findings, it selectively enables features appropriate to the environment.
Evasion and Process Obfuscation
The implant employs multiple techniques to remain hidden from system administrators and security tools. QLNX disguises itself as legitimate kernel threads such as [kworker/0:0] and rewrites process metadata visible in standard utilities like ps, top, and /proc directories. It removes forensic environment variables and prevents multiple instances by creating fake X11 lock files in /tmp. The malware uses eBPF technology to intercept and hide its activity at the kernel level. Additionally, QLNX checks whether it is running inside containerized environments, allowing it to modify behavior accordingly. Log wiping capabilities ensure evidence of its presence is removed from system records.
Credential Harvesting and Data Collection
QLNX implements extensive credential theft mechanisms targeting developers specifically. It deploys a malicious PAM module that captures authentication credentials at the system level. The malware collects shell history, SSH keys, Firefox profiles, and clipboard data from infected systems. A keylogging capability monitors user input across applications. Upon initial connection to command and control servers, QLNX sends detailed system information including hostname, network data, privilege level, geolocation obtained from ip-api.com queries, and a machine fingerprint derived from system identifiers. This comprehensive data gathering enables attackers to profile targets and plan lateral movement strategies.
Rootkit and PAM Backdoor Deployment
One of QLNX's most sophisticated features involves dynamically compiling and deploying kernel-level rootkits. The binary carries embedded C source code for both PAM backdoors and LD_PRELOAD rootkits as string literals. During execution, QLNX uses the GCC compiler present on target systems to compile rootkit shared objects and PAM backdoor modules directly on the infected host. These compiled modules are then deployed via /etc/ld.so.preload for system-wide interception. This approach allows the malware to achieve persistent kernel-level access while maintaining flexibility across different Linux distributions and kernel versions. The dynamic compilation also complicates detection since the rootkit components are generated at runtime rather than delivered as pre-compiled binaries.
Command and Control Communications
QLNX supports three distinct communication channels, each designed for different network conditions. Raw TCP and HTTPS communications are protected with TLS encryption with certificate validation disabled by default. HTTP is used in plaintext during analysis or fallback scenarios. All channels use the same binary command protocol, identified by a four-byte magic value "QLNX" (0x51 4C 4E 58) that initializes the protocol. In raw TLS mode, QLNX implements a custom length-prefixed binary protocol after establishing a four-step handshake. For HTTP/HTTPS operations, the malware uses POST requests to send Base64-encoded data and sends GET requests to poll for commands every five seconds. Session tracking relies on server-generated hex IDs passed via URL parameters and cookies. The malware connects to command servers only after registering with system and geolocation data, receiving ACK and confirmation packets before command execution begins.
Extensive Post-Compromise Capabilities
Once established on a target system, QLNX initializes 58 command handlers providing attackers comprehensive control. These include interactive shell access, file management and manipulation, persistence mechanism installation, lateral movement via SSH, screenshot capture, keylogging operations, rootkit deployment, SOCKS proxy establishment, port forwarding, and in-memory shellcode execution. The breadth of capabilities transforms infected systems into fully compromised hosts under attacker control. The command execution flow involves decoding Base64-encoded payloads from the C2 server, dispatching them through the handler table, executing them locally, and returning results to attackers. If no commands are queued, the C2 sends empty responses while maintaining the communication session.
Persistence Mechanisms
QLNX implements seven distinct persistence mechanisms to ensure long-term access across system reboots and administrative interventions. These mechanisms operate at different system levels, from user-level startup scripts to kernel-level rootkits, providing redundant access paths. The combination of PAM module persistence, LD_PRELOAD interception, and kernel-level eBPF hooks creates multiple survival strategies. This layered approach means removing the malware requires comprehensive system cleanup across multiple persistence vectors simultaneously, a challenging task for defenders without specialized incident response expertise.
Supply Chain Implications
The targeting of developers and DevOps environments elevates QLNX's threat level beyond individual systems. Compromised developer machines can serve as pivots into software development pipelines, enabling attackers to inject malicious code into applications before distribution. Access to SSH keys and credentials facilitates lateral movement within organizational networks and to customer systems. The ability to steal Firefox profiles and authentication credentials creates opportunities for further compromise of development tools, code repositories, and cloud infrastructure. Organizations relying on these development systems face compounded risks spanning their entire software supply chain.
Sources
https://securityaffairs.com/191898/malware/quasar-linux-rat-qlnx-a-fileless-linux-implant-built-for-stealth-and-persistence.html
https://orkl.eu/libraryEntry/22d7e1eb-172f-4fc0-9fc2-eed0933bbab8

Comments