Quasar Linux implant hunts developer credentials with eBPF rootkit and PAM backdoors

Trend Micro has documented a previously unseen Linux malware kit, Quasar Linux (QLNX), built specifically to compromise developer and DevOps workstations interacting with npm, PyPI, GitHub, AWS, Docker, and Kubernetes. The implant compiles its rootkit shared objects and PAM backdoor modules on the victim host using gcc, runs in memory after deleting its on-disk binary, wipes logs, spoofs process names, and clears forensic environment variables. Persistence is layered across seven mechanisms including LD_PRELOAD, systemd, cron, init.d, XDG autostart, and .bashrc injection, so it reloads into every dynamically linked process and respawns when killed.

Functionally, QLNX is a full attack platform rather than a single-purpose tool. A 58-command RAT core handles C2 over TCP/TLS or HTTP/S, a dual-layer rootkit combines a userland libc-hooking component with a kernel-level eBPF module that hides PIDs, paths, and ports, and a credential layer scrapes SSH keys, browser stores, cloud and developer configs, /etc/shadow, and the clipboard while PAM backdoors capture plaintext logins. Additional modules cover keylogging, screenshots, ptrace and /proc/pid/mem injection, in-memory BOF/COFF execution, SOCKS tunneling, SSH lateral movement, and a peer-to-peer mesh.

The targeting choice is the real story: developer machines hold the signing keys, registry tokens, and cloud credentials that gate software supply chains, so a stealthy foothold there bypasses most enterprise perimeter controls and sets up trojanized package publication of the kind seen in recent npm and PyPI incidents. Trend Micro has not attributed the implant or quantified its spread, and at publication only four engines flag the binary, leaving defenders reliant on the published IoCs.