Trend Micro disclosed a previously undocumented Linux implant, Quasar Linux RAT (QLNX), that targets developer workstations and DevOps environments to steal credentials tied to software supply chains. The malware harvests secrets from assets including npm, PyPI, Git, AWS, Kubernetes, Docker, Vault, Terraform, GitHub CLI, .env files, SSH keys, browser data, and even /etc/shadow, creating a path to malicious package publication, cloud account compromise, and CI/CD abuse. Researchers said the implant combines backdoor, surveillance, credential theft, and lateral movement features, with a 58-command RAT core supporting shell execution, file management, screenshots, keylogging, clipboard theft, SOCKS proxying, TCP tunneling, and SSH-based movement across environments.
The malware was built for stealth and long-term persistence on Linux systems. Trend Micro said QLNX runs filelessly from memory, deletes its original binary, wipes logs, spoofs process names as kernel threads, and uses multiple persistence methods including LD_PRELOAD, systemd, crontab, init.d, XDG autostart, and .bashrc injection. It also dynamically compiles rootkit and PAM credential-interception components on the victim host using gcc, then hides processes, files, and ports through a two-tier design that combines a userland LD_PRELOAD rootkit with an eBPF kernel component. Command-and-control traffic can flow over raw TCP, custom TLS, HTTP, or HTTPS, and at publication only a small number of security products reportedly detected the malware, while no actor attribution or confirmed intrusions had been publicly disclosed.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Subsequent coverage expanded on QLNX's capabilities, including theft of secrets from npm, PyPI, Git, AWS, Kubernetes, Docker, Vault, Terraform, GitHub CLI, and .env files. It also highlighted PAM credential interception and a two-tier rootkit architecture using LD_PRELOAD and an eBPF kernel component for stealth.
Red Asgard reported that server 195.201.104.53 hosted both BeaverTail FTP exfiltration infrastructure and OtterCookie command-and-control services, indicating shared Lazarus-linked operational infrastructure. The finding shifted the model from one host per campaign to a shared substrate supporting multiple malware families and operational lanes.
Trend Micro published analysis of a previously undocumented Linux implant called Quasar Linux (QLNX) aimed at developer and DevOps environments. The malware was described as a stealthy, fileless RAT with credential theft, persistence, rootkit, surveillance, and supply-chain risk implications, though no actor attribution or confirmed attacks were provided.
A report published by OSM described Lazarus Group tradecraft involving the use of Git hooks to conceal malware. The referenced coverage tied the activity to DPRK-linked operations, but the provided material did not include further technical details or victim information.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcethehackernews.com
Open sourceredasgard.com
Open sourcebsky.app
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.