Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
NSA Warns of Russian Hacking Exploiting Cisco Smart Install Vulnerability
July 13, 2026
Active Directory Accounts Enumerated via PowerShell Script
July 13, 2026
Debian 13 Trixie Released With Security Updates
July 13, 2026
Home/Threats/QLNX Credential Theft Malware Targets Developers in Supply Chain Attacks
Threats

QLNX Credential Theft Malware Targets Developers in Supply Chain Attacks

Key Takeaways A new, stealthy Linux malware named QLNX has been discovered, specifically designed for credential theft. QLNX targets software developers, aiming to compromise software supply chains...

David kimber
David kimber
May 6, 2026 5 Min Read
50 0

Key Takeaways

  • A new, stealthy Linux malware named QLNX has been discovered, specifically designed for credential theft.
  • QLNX targets software developers, aiming to compromise software supply chains by stealing critical authentication tokens and keys.
  • The malware employs advanced evasion techniques, including in-memory execution, process masquerading, log wiping, and a sophisticated PAM backdoor.
  • It can harvest a wide array of sensitive data, including SSH keys, browser logins, cloud configuration files (AWS, Kubernetes), Docker credentials, Git, NPM, and PyPI tokens.

A sophisticated and previously unknown Linux threat, dubbed QLNX, has emerged, posing a significant risk to global software supply chains by specifically targeting developers. This credential-stealing malware, detailed in a comprehensive report by researchers at Trend Micro, functions as a full-featured remote access trojan (RAT) engineered for Linux environments. Its blend of stealth and targeted credential exfiltration marks it as one of the more dangerous Linux implants observed in recent years.

Table Of Content

  • Key Takeaways
  • QLNX Targets Developers for Supply Chain Access
  • Stealth, Persistence, and PAM Backdoor
  • Indicators of Compromise (IoCs)
  • What You Should Do

The infection process for QLNX is designed for minimal footprint. The malware executes entirely within memory, copying itself to a RAM-backed file before erasing its original binary from disk, leaving no persistent trace on the hard drive. To further evade detection, QLNX disguises its running processes by mimicking legitimate Linux kernel threads, such as [kworker/0:0] or [migration/0], making it difficult for even vigilant administrators to identify unusual activity.

QLNX internal architecture (Source - Trend Micro)
QLNX internal architecture (Source – Trend Micro)

Trend Micro researchers uncovered and analyzed QLNX after their AI-driven threat hunting platform flagged an unusual Linux implant with remarkably low detection rates. Their analysis revealed that the malware embeds the source code for both its rootkit and PAM backdoor directly within its binary. These components are then compiled at runtime using the system’s own GCC compiler and loaded via /etc/ld.so.preload to intercept system-wide activities.

QLNX’s capabilities are extensive and deeply concerning. It performs a multi-stage credential harvesting operation, systematically collecting SSH private keys, browser login databases, cloud configuration files for AWS and Kubernetes, Docker credentials, Git tokens, NPM tokens, PyPI API keys, and any .env files it locates. All exfiltrated data is then securely transmitted to the attacker’s command-and-control server over an encrypted connection. The malware also incorporates peer-to-peer mesh networking functionality, allowing each compromised system to relay commands to other infected hosts, complicating eradication efforts.

QLNX Targets Developers for Supply Chain Access

The most critical aspect of QLNX is its potential for downstream impact. Developers represent high-value targets because their credentials can unlock publishing pipelines for packages utilized by countless users. By pilfering NPM and PyPI authentication tokens, QLNX grants its operators the ability to inject malicious packages into trusted registries without immediately raising suspicion, potentially triggering widespread software supply chain attacks.

Four-step handshake sequence before entering the command loop (Source - Trend Micro)
Four-step handshake sequence before entering the command loop (Source – Trend Micro)

Supply chain attacks leveraging open-source ecosystems like PyPI and npm have become increasingly effective for threat actors. A single compromised maintainer account could be used to backdoor legitimate packages, inject malicious code into build artifacts, or pivot into cloud environments hosting production infrastructure. The ripple effect from one infected developer machine can lead to catastrophic damage across an organization’s digital footprint.

Furthermore, QLNX actively harvests SSH keys to facilitate lateral movement to other servers within a user’s known host chain. This enables the initial compromise to silently propagate to cloud instances and CI/CD pipelines long before any warning signs appear. The malware’s ability to delete system logs, including auth.log, syslog, and bash_history, significantly hinders forensic investigations post-infection.

Stealth, Persistence, and PAM Backdoor

QLNX employs extensive measures to ensure its stealth and persistence across reboots. It establishes persistence through multiple mechanisms, including systemd services, crontab entries, init.d scripts, and modifications to the user’s .bashrc file. This multi-layered approach ensures that even if one persistence method is discovered and removed, the others will automatically restart the malware, making complete eradication exceedingly challenging.

One of QLNX’s most technically advanced components is its PAM backdoor. The Pluggable Authentication Module (PAM) system handles user authentication on Linux. QLNX injects a malicious PAM module that intercepts credentials in plaintext during user authentication. These captured passwords are then stored in a hidden log file at /var/log/.ICE-unix, secured with XOR encryption.

The malware also includes an eBPF-based kernel rootkit, which conceals its process IDs, file names, and network ports at the kernel level. This renders standard system monitoring tools like ps, top, or netstat ineffective at detecting the malware. The combination of in-memory execution, log wiping, and PAM interception creates a formidable threat that is difficult to detect even on systems with robust monitoring. Organizations operating Linux developer environments should prioritize this concern and immediately review their endpoint visibility practices.


Indicators of Compromise (IoCs):

Type Indicator Description
SHA-256 ea1d34b21b739a6bbf89b3f7e67978005cf7f3eda612cefc7eac1c8ead7c5545 Quasar-implant binary
SHA-256 82DAA93219BA40A6E41CDF3174BA57EB5D3383D1CD805584E9954EB0200182A1 libsecurity_utils.so.1 (LD_PRELOAD rootkit)
SHA-256 42D0C420EB5FE181388F2E4F0B7D7C0D302971E7A06FDC1BEC481B68C8CCAE1F pam_security.so (PAM backdoor)
SHA-256 C99CF0DC1EF1057D713CB082ACAF42E4DF4656809C91741752BDDCAB39BBFACA hide_src_39ZoR.cb
SHA-256 CEA89CAAB82181881D971BE312412795051F6322B105C8B9D29CFB5729FAB8D33 pam_src_51yC3.f
SHA-256 F417430b2d4ae8d005224a9ff5dcb4007d452338acbcbcbb62c4e8ed1a70552dd libpam_cache.so
SHA-256 d55549d5655e2f202e215676f4bdb0994ea08a93d15ec4ded413f64cfa7facc8 pcs_3kf9x.c
MD5 570f707430f28a7ab836d1c659333152ab9a quasar-implant (MD5)
SHA-1 b0f2c668cbdd63a87c1c090c95b2c6f9c3e9c3111158752e quasar-implant (SHA-1)
File Path /usr/lib/libsecurity_utils.so.1 LD_PRELOAD rootkit shared object
File Path /usr/lib/.libpam_cache.so PAM credential hook shared object
File Path /etc/ld.so.preload Modified to load rootkit and PAM hook
File Path /tmp/.pam_cache Plaintext credential log
File Path /var/log/.Test-unix Hidden log for captured SSH passwords
File Path /var/log/.ICE-unix Hidden log for captured PAM passwords
File Path /tmp/.X752e2ca1-lock Single-instance mutex lock file
File Path ~/.config/systemd/user/quasar_linux.service Systemd user service persistence file
File Path ~/.config/autostart/quasar_linux.desktop XDG autostart persistence file
File Path /etc/systemd/system/quasar_linux.service Systemd system service persistence file
File Path /etc/init.d/quasar_linux init.d script persistence file

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Monitor Process Activity: Scrutinize running processes for names that mimic legitimate kernel threads (e.g., [kworker/0:0], [migration/0]) but exhibit unusual behavior or resource consumption.
  • Inspect /etc/ld.so.preload: Regularly audit this file for any unexpected or unauthorized entries that could be loading malicious shared libraries.
  • Audit Developer Endpoints: Conduct thorough audits of developer workstations and servers for suspicious shared library files and unusual activity.
  • Review Cloud Credential Stores: After any suspected infection, immediately review and rotate all cloud credentials (AWS, Kubernetes, Docker, Git, NPM, PyPI) to mitigate potential supply chain compromise.
  • Implement Strong Authentication: Enforce multi-factor authentication (MFA) for all developer accounts and critical systems to add an extra layer of security against credential theft.
  • Enhance Logging and EDR: Deploy advanced Endpoint Detection and Response (EDR) solutions with robust logging capabilities to detect subtle indicators of compromise, especially those involving memory-resident threats and log manipulation.
  • Educate Developers: Provide ongoing training to developers on identifying phishing attempts, safe software development practices, and the risks associated with untrusted third-party packages.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical MajorDoMo RCE Vulnerability (CVE-2024-XXXX) Lets Attackers Execute Code

Next Post

CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Worm Could Regenerate Exploits, Adapt to Defenses in Real Time
July 13, 2026
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us