Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed.
RAT core — Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels.
File Path /etc/init.d/quasar_linux RC script dropped for boot-time persistence
The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed.
Credential access layer — Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data.
Indicators of Compromise (IoCs):- File Name quasar_linux.service Systemd service file dropped under /etc/systemd/system/ and ~/.config/systemd/user/ for persistence
File Path /etc/init.d/quasar_linux RC script dropped for boot-time persistence
The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed.
Unlike most malware that relies on files stored on disk, QLNX runs almost entirely in memory. On launch, it creates a file that exists only in memory, writes its real payload into it, executes that payload, then removes the original file from disk.
Credential access layer — Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data.
Rather than carrying pre-built components, it embeds raw C source code and uses the target machine’s own compiler to build a custom rootkit at runtime.
To avoid attracting attention, QLNX rewrites its own process name to mimic legitimate kernel worker threads like [kworker/0:0] or [migration/0].
Unlike most malware that relies on files stored on disk, QLNX runs almost entirely in memory. On launch, it creates a file that exists only in memory, writes its real payload into it, executes that payload, then removes the original file from disk.
QLNX was designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables.
QLNX was designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables.
Credential access layer — Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data.
Surveillance module — Keylogging, screenshot capture, and clipboard monitoring.
Once executed, it shifts its payload into memory and leaves no trace on the file system, then plants itself into the operating system to harvest SSH keys, cloud credentials, package registry tokens, and browser-stored passwords.
Once executed, it shifts its payload into memory and leaves no trace on the file system, then plants itself into the operating system to harvest SSH keys, cloud credentials, package registry tokens, and browser-stored passwords.
RAT core — Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux malware that operates largely in memory, steals SSH keys, cloud credentials, package registry tokens, and browser-stored passwords, compiles a custom rootkit and PAM backdoor on the victim host, establishes persistence, and uses a peer-to-peer mesh for resilient command and control.
Linux implant targeting developer and DevOps environments. It provides remote access via a 58-command RAT framework, establishes stealthy persistence using multiple mechanisms, dynamically compiles userland rootkit and PAM backdoor components on the victim host, steals credentials from SSH, browsers, cloud and developer configs, supports keylogging and screenshots, and enables tunneling, port scanning, SSH lateral movement, process injection, and in-memory payload execution.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.