QLNX Credential Theft Malware Targets Developers in Supply Chain Attacks
Key Takeaways A new, stealthy Linux malware named QLNX has been discovered, specifically designed for credential theft. QLNX targets software developers, aiming to compromise software supply chains...
Key Takeaways
- A new, stealthy Linux malware named QLNX has been discovered, specifically designed for credential theft.
- QLNX targets software developers, aiming to compromise software supply chains by stealing critical authentication tokens and keys.
- The malware employs advanced evasion techniques, including in-memory execution, process masquerading, log wiping, and a sophisticated PAM backdoor.
- It can harvest a wide array of sensitive data, including SSH keys, browser logins, cloud configuration files (AWS, Kubernetes), Docker credentials, Git, NPM, and PyPI tokens.
A sophisticated and previously unknown Linux threat, dubbed QLNX, has emerged, posing a significant risk to global software supply chains by specifically targeting developers. This credential-stealing malware, detailed in a comprehensive report by researchers at Trend Micro, functions as a full-featured remote access trojan (RAT) engineered for Linux environments. Its blend of stealth and targeted credential exfiltration marks it as one of the more dangerous Linux implants observed in recent years.
Table Of Content
The infection process for QLNX is designed for minimal footprint. The malware executes entirely within memory, copying itself to a RAM-backed file before erasing its original binary from disk, leaving no persistent trace on the hard drive. To further evade detection, QLNX disguises its running processes by mimicking legitimate Linux kernel threads, such as [kworker/0:0] or [migration/0], making it difficult for even vigilant administrators to identify unusual activity.

Trend Micro researchers uncovered and analyzed QLNX after their AI-driven threat hunting platform flagged an unusual Linux implant with remarkably low detection rates. Their analysis revealed that the malware embeds the source code for both its rootkit and PAM backdoor directly within its binary. These components are then compiled at runtime using the system’s own GCC compiler and loaded via /etc/ld.so.preload to intercept system-wide activities.
QLNX’s capabilities are extensive and deeply concerning. It performs a multi-stage credential harvesting operation, systematically collecting SSH private keys, browser login databases, cloud configuration files for AWS and Kubernetes, Docker credentials, Git tokens, NPM tokens, PyPI API keys, and any .env files it locates. All exfiltrated data is then securely transmitted to the attacker’s command-and-control server over an encrypted connection. The malware also incorporates peer-to-peer mesh networking functionality, allowing each compromised system to relay commands to other infected hosts, complicating eradication efforts.
QLNX Targets Developers for Supply Chain Access
The most critical aspect of QLNX is its potential for downstream impact. Developers represent high-value targets because their credentials can unlock publishing pipelines for packages utilized by countless users. By pilfering NPM and PyPI authentication tokens, QLNX grants its operators the ability to inject malicious packages into trusted registries without immediately raising suspicion, potentially triggering widespread software supply chain attacks.

Supply chain attacks leveraging open-source ecosystems like PyPI and npm have become increasingly effective for threat actors. A single compromised maintainer account could be used to backdoor legitimate packages, inject malicious code into build artifacts, or pivot into cloud environments hosting production infrastructure. The ripple effect from one infected developer machine can lead to catastrophic damage across an organization’s digital footprint.
Furthermore, QLNX actively harvests SSH keys to facilitate lateral movement to other servers within a user’s known host chain. This enables the initial compromise to silently propagate to cloud instances and CI/CD pipelines long before any warning signs appear. The malware’s ability to delete system logs, including auth.log, syslog, and bash_history, significantly hinders forensic investigations post-infection.
Stealth, Persistence, and PAM Backdoor
QLNX employs extensive measures to ensure its stealth and persistence across reboots. It establishes persistence through multiple mechanisms, including systemd services, crontab entries, init.d scripts, and modifications to the user’s .bashrc file. This multi-layered approach ensures that even if one persistence method is discovered and removed, the others will automatically restart the malware, making complete eradication exceedingly challenging.
One of QLNX’s most technically advanced components is its PAM backdoor. The Pluggable Authentication Module (PAM) system handles user authentication on Linux. QLNX injects a malicious PAM module that intercepts credentials in plaintext during user authentication. These captured passwords are then stored in a hidden log file at /var/log/.ICE-unix, secured with XOR encryption.
The malware also includes an eBPF-based kernel rootkit, which conceals its process IDs, file names, and network ports at the kernel level. This renders standard system monitoring tools like ps, top, or netstat ineffective at detecting the malware. The combination of in-memory execution, log wiping, and PAM interception creates a formidable threat that is difficult to detect even on systems with robust monitoring. Organizations operating Linux developer environments should prioritize this concern and immediately review their endpoint visibility practices.
Indicators of Compromise (IoCs):
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | ea1d34b21b739a6bbf89b3f7e67978005cf7f3eda612cefc7eac1c8ead7c5545 | Quasar-implant binary |
| SHA-256 | 82DAA93219BA40A6E41CDF3174BA57EB5D3383D1CD805584E9954EB0200182A1 | libsecurity_utils.so.1 (LD_PRELOAD rootkit) |
| SHA-256 | 42D0C420EB5FE181388F2E4F0B7D7C0D302971E7A06FDC1BEC481B68C8CCAE1F | pam_security.so (PAM backdoor) |
| SHA-256 | C99CF0DC1EF1057D713CB082ACAF42E4DF4656809C91741752BDDCAB39BBFACA | hide_src_39ZoR.cb |
| SHA-256 | CEA89CAAB82181881D971BE312412795051F6322B105C8B9D29CFB5729FAB8D33 | pam_src_51yC3.f |
| SHA-256 | F417430b2d4ae8d005224a9ff5dcb4007d452338acbcbcbb62c4e8ed1a70552dd | libpam_cache.so |
| SHA-256 | d55549d5655e2f202e215676f4bdb0994ea08a93d15ec4ded413f64cfa7facc8 | pcs_3kf9x.c |
| MD5 | 570f707430f28a7ab836d1c659333152ab9a | quasar-implant (MD5) |
| SHA-1 | b0f2c668cbdd63a87c1c090c95b2c6f9c3e9c3111158752e | quasar-implant (SHA-1) |
| File Path | /usr/lib/libsecurity_utils.so.1 | LD_PRELOAD rootkit shared object |
| File Path | /usr/lib/.libpam_cache.so | PAM credential hook shared object |
| File Path | /etc/ld.so.preload | Modified to load rootkit and PAM hook |
| File Path | /tmp/.pam_cache | Plaintext credential log |
| File Path | /var/log/.Test-unix | Hidden log for captured SSH passwords |
| File Path | /var/log/.ICE-unix | Hidden log for captured PAM passwords |
| File Path | /tmp/.X752e2ca1-lock | Single-instance mutex lock file |
| File Path | ~/.config/systemd/user/quasar_linux.service | Systemd user service persistence file |
| File Path | ~/.config/autostart/quasar_linux.desktop | XDG autostart persistence file |
| File Path | /etc/systemd/system/quasar_linux.service | Systemd system service persistence file |
| File Path | /etc/init.d/quasar_linux | init.d script persistence file |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Monitor Process Activity: Scrutinize running processes for names that mimic legitimate kernel threads (e.g.,
[kworker/0:0],[migration/0]) but exhibit unusual behavior or resource consumption. - Inspect
/etc/ld.so.preload: Regularly audit this file for any unexpected or unauthorized entries that could be loading malicious shared libraries. - Audit Developer Endpoints: Conduct thorough audits of developer workstations and servers for suspicious shared library files and unusual activity.
- Review Cloud Credential Stores: After any suspected infection, immediately review and rotate all cloud credentials (AWS, Kubernetes, Docker, Git, NPM, PyPI) to mitigate potential supply chain compromise.
- Implement Strong Authentication: Enforce multi-factor authentication (MFA) for all developer accounts and critical systems to add an extra layer of security against credential theft.
- Enhance Logging and EDR: Deploy advanced Endpoint Detection and Response (EDR) solutions with robust logging capabilities to detect subtle indicators of compromise, especially those involving memory-resident threats and log manipulation.
- Educate Developers: Provide ongoing training to developers on identifying phishing attempts, safe software development practices, and the risks associated with untrusted third-party packages.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.