With the emergence of Quasar Linux (QLNX), a new Remote Access Trojan (RAT) has been discovered targeting Linux developers. This malware utilizes rootkit techniques, credential theft methods, and camouflage tactics, allowing cybercriminals to conduct covert attack workflows. First documented by Trend Micro in early May, the threat level of QLNX is considered high due to its ability to target developer and DevOps credentials across the software supply chain while being notably difficult to remove from infected systems.
While specific instances of harm caused by QLNX have not been disclosed, Trend Micro’s detailed analysis highlights the risk it poses. As of the time of their report, Trend Micro was the only antivirus vendor that provided comprehensive detection rules for QLNX, although another vendor, SOC Prime, has also developed detection strategies since then.
Once it infects a system, QLNX compromises various platforms by stealing credentials for npm, PyPI, GitHub, Amazon Web Services (AWS), Docker, and Kubernetes. The malware targets sensitive data such as private SSH keys, browser logins, shell histories, clipboard contents, and unencrypted passwords stored in the Linux PAM authentication framework. This data is sent to the attacker’s server through secure channels, allowing the malware to receive commands in return. Its peer-to-peer capabilities enable QLNX to relay data through other compromised systems, complicating detection and removal efforts.
QLNX is designed for persistence, making continued operation discreet. After the initial injection, it deletes its binary files and operates entirely in memory while disguising its process name, erasing system logs, and installing multiple persistence mechanisms to ensure survival after attempts at cleanup.
The malware’s name is derived from its reliance on systemd entries, such as ~/.config/systemd/user/quasar_linux.service and /etc/systemd/system/quasar_linux.service.
It has the potential to execute supply chain attacks similar to those used in the LiteLLM incident. In March 2026, cybercriminals compromised two LiteLLM packages in the Python Package Index via a stolen PyPI token, embedding a credential stealer into the software.
For further details, refer to the detailed analysis by Trend Micro here.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
