Listen to this Post

Introduction:
The modern software supply chain is only as secure as the least protected developer workstation. QLNX, also known as Quasar Linux, is a newly discovered Linux Remote Access Trojan (RAT) that weaponizes this fundamental weakness, specifically targeting developers and DevOps engineers to compromise the trust at the heart of the open-source ecosystem. This previously undocumented implant uses a terrifying combination of fileless memory execution, a dual-layer rootkit (LD_PRELOAD and eBPF), a PAM-based authentication backdoor, and a staggering 58 remote commands to establish covert, persistent control while harvesting credentials from platforms like npm, PyPI, AWS, and Kubernetes. Its primary goal is not system destruction but the silent theft of publishing tokens to enable large-scale supply chain attacks.
Learning Objectives:
- Understand the Mechanics of QLNX: Analyze the inner workings of the QLNX RAT, including its fileless execution, multi-layered persistence, and the dual-userland/kernel rootkit architecture.
- Master Detection and Hunting Techniques: Learn to identify indicators of compromise (IoCs) for QLNX, including suspicious process names, LD_PRELOAD entries, and monitoring for anomalous gcc compilation events.
- Develop a Comprehensive Incident Response Plan: Learn a multi-phase, step-by-step approach to contain a QLNX infection, eradicate all persistence mechanisms, and safely remediate stolen cloud and registry credentials.
You Should Know:
1. QLNX Anatomy and Fileless Execution
The malware’s ability to operate without touching the disk is its most formidable defense. After the initial infection, QLNX self-deletes its original binary, copies itself to a RAM-backed file, and then masquerades its process name to blend in with legitimate kernel threads such as `[kworker/0:0]` or [migration/0]. It carries embedded source code for its rootkit and PAM backdoor, which it compiles on the target system using the installed GCC compiler to avoid signature-based detection. The malware’s 58-command framework provides a full suite of post-exploitation tools, including keylogging, screenshot capture, clipboard monitoring, TCP tunneling, and even Beacon Object File (BOF) in-memory execution.
Step‑by‑step guide explaining what this does and how to use it:
To simulate and understand fileless execution, a security researcher might replicate QLNX’s technique:
1. Create a simple C program that prints “Malicious Payload” (e.g., echo 'int main() { puts("Malicious Payload"); return 0; }' > /dev/shm/payload.c).
2. Use `memfd_create` to create an anonymous file in memory and get its file descriptor.
3. Compile the payload and write the binary’s contents directly to this memory file descriptor.
4. Execute the payload from memory using the `fexecve` function on the file descriptor, leaving no binary on disk.
Code Example (Simulated Snippet):
include <stdio.h>
include <unistd.h>
include <sys/mman.h>
int main() {
int fd = memfd_create("legit_name", MFD_CLOEXEC);
// ... Write compiled payload to fd ...
fexecve(fd, argv, envp);
}
Practical Detection Commands (Forensics):
- Linux: Use `sudo ps auxf | egrep “(kworker|migration|kthreadd)”` and correlate the PID with start time and parent process. Cross-reference with `lsof -p
` to identify unusual memory-mapped files. - General: Scan for suspicious GCC activity with
sudo ausearch -x /usr/bin/gcc -ts recent, as QLNX compiles its rootkit on the fly.
2. Dual‑Layer Rootkit (LD_PRELOAD & eBPF)
QLNX leverages a sophisticated stealth architecture. The userspace layer uses an `LD_PRELOAD` rootkit, a shared library that intercepts standard libc functions (like open, readdir, kill) to hide malicious files, processes, and network connections from userland tools like ls, ps, and netstat. The kernel‑layer uses an eBPF rootkit that loads a program into the kernel. This program manipulates BPF maps to hide specific PIDs and network ports directly from the kernel’s output, making it invisible to even privileged users. Together, these layers create a formidable barrier to standard incident response.
Step‑by‑step guide explaining what this does and how to use it:
For Defenders (Detection & Mitigation):
- Check LD_PRELOAD: Run
sudo cat /etc/ld.so.preload. If it contains an entry pointing to a suspicious library (e.g., in `/tmp` or a user’s.cache), QLNX is likely active. - Find Hidden Processes: Attempt to list processes using alternative system calls. Use `sudo cat /proc/[0-9]/cmdline | tr ‘\000’ ‘ ‘` and look for anomalies. A mismatch between `ps aux` and the `/proc` filesystem is a strong indicator.
- Detect eBPF Hooks: eBPF rootkits are notoriously hard to detect. Use tools like `bpftool` to list loaded BPF programs. `sudo bpftool prog list` can reveal unexpected programs attached to tracepoints or kprobes.
- Block Persistence: As a preventative measure, restrict write access to critical files:
sudo chmod 644 /etc/ld.so.preload.
For Ethical Hacking/Training (Conceptual Reproduction):
- Userland: Write a shared library that hooks `open()` to hide a specific file path. Compile it (
gcc -shared -fPIC user_hide.c -o libuser_hide.so) and load it viaLD_PRELOAD=./libuser_hide.so. - eBPF: A kernel-level eBPF program would need to be compiled with `clang` and loaded using `bpftool` or `libbpf` to attach to kernel events and manipulate the output of system calls.
3. Credential Harvesting and the Supply Chain Threat
QLNX’s main objective is to steal the secrets that secure the software supply chain. It aggressively hunts for configuration files and tokens containing high-value credentials, scanning the filesystem for ~/.ssh/id_rsa, .npmrc, .pypirc, kubeconfig, AWS `credentials` files, and any `.env` files found. It also employs a custom PAM backdoor that intercepts plaintext passwords during the login process, allowing it to capture any new credentials entered on the system. Once exfiltrated, tokens for npm and PyPI can be used to publish malicious packages, turning a single compromised developer into a launchpad for a global supply chain attack.
Step‑by‑step guide explaining what this does and how to use it:
To Harden Against Credential Theft:
- Rotate Compromised Credentials: If an infection is suspected, immediately rotate all developer access keys, including npm/PyPI tokens, AWS keys, Kubernetes secrets, and SSH keys.
- Enforce Principle of Least Privilege: Use dedicated, limited-scope tokens for CI/CD pipelines instead of a developer’s personal publishing token.
- Deploy YARA Rules: Write and deploy YARA rules on developer workstations to scan for known QLNX strings in memory or on disk. An example YARA rule for hunting might look for the “quasar_linux.service” string or specific compilation artifacts.
rule QLNX_Service_Hunt { meta: description = "Detects QLNX systemd service file artifacts" strings: $s1 = "quasar_linux.service" $s2 = "cloning quasar-linux-implant into memory" condition: any of ($s) } - Monitor Exfiltration: Use network monitoring to look for alerting on connections to newly registered or unusual domains with weak TLS certificates. Set up alerts for large outbound data transfers from developer workstations.
4. The Resilience of Redundant Persistence
Removing QLNX is not a one-step process. The implant installs up to seven different persistence mechanisms to ensure it survives a system reboot and re-establishes itself even if one or two of its methods are discovered and removed. These mechanisms include injecting entries into the system-wide LD_PRELOAD file, creating a systemd service file, adding a cron job, using an init.d script, adding an XDG autostart entry for desktop environments, and injecting lines into the user’s `.bashrc` file.
Step‑by‑step guide explaining what this does and how to use it:
A thorough cleanup must check all persistence locations for malicious entries:
1. Check LD_PRELOAD: `sudo cat /etc/ld.so.preload`
- Check systemd: `systemctl list-unit-files –type=service | grep -i quasar` and manually check the service directory at
/etc/systemd/system/. - Check Crontab: Check system-wide crontabs:
sudo cat /etc/crontab. Check user-specific crontabs:sudo crontab -u <user> -l. - Check init.d scripts:
ls -la /etc/init.d/ | grep -i quasar. - Check XDG Autostart: `ls -la /etc/xdg/autostart/ | grep -i quasar` and
ls -la ~/.config/autostart/ | grep -i quasar. - Check User Shell Configs:
grep -i quasar ~/.bashrc ~/.profile.
Windows Equivalent (Conceptual): While QLNX is Linux-specific, a similar tool on Windows would use Run registry keys, scheduled tasks, WMI event subscriptions, and service DLL persistence.
What Undercode Say:
- QLNX is a paradigm shift, moving from conventional ransomware to targeted supply chain subversion, with developer workstations as the new perimeter.
- The malware’s dynamic compilation and eBPF stealth techniques represent a significant escalation in Linux threat sophistication, rendering many traditional security tools ineffective.
- Organizations must adopt a “zero-trust” model for developer endpoints, combining runtime detection, immutable infrastructure, and enforced multi-factor authentication for all registry operations to mitigate this class of threat.
Prediction:
The emergence of QLNX likely heralds a new generation of highly targeted, fileless, and stealthy Linux malware. We will see a surge in supply chain attacks that infiltrate open-source ecosystems via compromised developer endpoints, forcing a fundamental shift in the security of npm, PyPI, and other package registries. Expect to see the rapid adoption of ephemeral, immutable development environments and a move toward cryptographic signing of all software artifacts as standard industry practice. The era of trusting the developer’s machine is officially over.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar Linux – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


