Quasar Linux RAT (QLNX) is a sophisticated Linux implant designed to target developers and DevOps infrastructure. It focuses on stealing credentials from sensitive files like .npmrc, .aws/credentials, and Kubernetes configs, potentially allowing attackers to poison software registries or access cloud environments. The malware operates with high stealth, using fileless execution and masquerading as kernel threads to establish a silent foothold.
Technically, QLNX employs a multi-layered approach for persistence and evasion, utilizing seven different methods including systemd, crontab, and .bashrc injection. It features a two-tiered rootkit architecture combining userland LD_PRELOAD and kernel-level eBPF components to hide its presence from standard system tools. With support for 58 commands and PAM-based credential interception, it provides operators with comprehensive control over compromised hosts while maintaining long-term stealth.