Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
29 distinct techniques documented for this family, organized by ATT&CK tactic.
... setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection.
QLNX also implements two PAM backdoors that compile on the target system, enabling credential harvesting and authentication interception.
... setting up persistence using no less than seven different methods, including systemd ...
... setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection.
... setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection.
... receives commands that make it possible to ... inject code into processes ...
QLNX also implements two PAM backdoors that compile on the target system, enabling credential harvesting and authentication interception.
... setting up persistence using no less than seven different methods, including systemd ...
A userland rootkit hides files, processes, and binaries by hooking libc functions via LD_PRELOAD, while an optional eBPF controller manipulates kernel maps to hide processes, files, and ports at kernel level.
To evade detection, QLNX disguises itself as legitimate kernel threads such as [kworker/0:0] and rewrites process metadata visible in ps, top, and /proc.
... receives commands that make it possible to ... inject code into processes ...
QLNX is a powerful Linux remote access trojan that runs directly from memory to avoid detection, hides its activity using eBPF, wipes logs...
QLNX is a powerful Linux remote access trojan that runs directly from memory to avoid detection, hides its activity using eBPF, wipes logs, and checks whether it is running inside containerized environments.
... is capable of profiling the host to detect containerized environments ...
... to ensure that the implant's artifacts and processes stay hidden ... conceal processes, files, and network ports from standard userland tools such as ps, ls, and netstat ...
It dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc, then deploys them via /etc/ld.so.preload for system-wide interception.
QLNX is a sophisticated Linux malware designed to operate entirely from memory and avoid leaving traces on disk. After execution, it copies itself into a RAM-backed file using memfd_create, deletes the original binary, and re-launches directly from memory using execveat or /proc/self/fd/<memfd> as a fallback.
The malicious code can steal credentials, log keystrokes, manipulate files, monitor clipboard activity, and create network tunnels for remote access.
The malware then profiles the infected system, checking privileges, kernel version, SELinux status, containerization, GCC availability, X11 access, and support for process injection or keylogging.
The malicious code can steal credentials, log keystrokes, manipulate files, monitor clipboard activity, and create network tunnels for remote access.
Once established, QLNX initializes 58 command handlers and connects to its C2 server over a custom TLS-based protocol, HTTPS, or HTTP.
The malware supports extensive post-compromise functions including shell access, file management, persistence, credential theft, SSH lateral movement, screenshots, keylogging, rootkits, SOCKS proxies, port forwarding...
... continuously attempts to establish and maintain communication with the command-and-control (C2) server over raw TCP, HTTPS, and HTTP.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fileless Linux implant designed for stealth and persistence. It executes from memory, steals credentials, logs keystrokes, monitors clipboard and system activity, supports remote shell access, file management, code injection, screenshots, SOCKS proxies, port forwarding, SSH lateral movement, and network tunneling. It also deploys a PAM backdoor and LD_PRELOAD rootkit, uses eBPF for hiding activity, wipes logs, and maintains persistence through multiple mechanisms including systemd, cron, init scripts, XDG autostart, and LD_PRELOAD injection.
A Linux implant targeting developer environments and software supply chains. It operates filelessly from memory, steals credentials from developer and cloud tooling, supports keylogging, file manipulation, screenshots, SOCKS/TCP tunneling, shell command execution, BOF execution, and P2P mesh management. It uses multiple persistence methods, includes PAM credential interception, and employs both userland and kernel-level rootkit techniques for stealth.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.