Attackers have found a new way to turn Linux systems into stealthy supply chain distribution hubs that are resistant to takedowns.
Researchers from Trend Micro have disclosed a new malware framework, dubbed Quasar Linux or QLNX, describing it as a modular Linux remote access trojan (RAT). But what sets the campaign apart is the malware using a P2P mesh capability that turns individual implants into an interconnected infection network, making the campaign difficult to kill.
QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling attacker access.
“Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features,” the researchers said in a blog post. “The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.”
Watching out for the threat involves setting detection for the indicators of compromise (IOCs) shared by Trend Micro, all of which are now applied to protections subscribed by Trend Vision One customers.
P2P networking and layered C2 infrastructure
The disclosure pointed at a resilient command-and-control (C2) design meant to withstand takedowns and disruption. Researchers said QLNX supports peer-to-peer (P2P) mesh networking, allowing compromised systems to communicate with one another rather than relying entirely on centralized servers.
This turns the infected Linux systems into interconnected relay points capable of maintaining communication even when portions of the infrastructure are disrupted. This is another factor contributing to the difficulty of complete elimination.
The command and control (C2) operates a versatile command pack. “In total, QLNX registers 58 distinct commands, covering a broad range of post-compromise functionality, including file system manipulation, network tunneling, credential harvesting, and rootkit management,” the researchers said, detailing a complete list of registered commands and their corresponding handlers.
For network communication, QLNX supports raw TCP, HTTPS, and HTTP. “All three transports carry the same underlying binary command protocol,” Trend Micro wrote. “Both the TCP and HTTPS channels are secured using TLS, ensuring that command and data exchanges are encrypted during network communication.”
Persistence through rootkits and PAM backdoors
The researchers also wrote of QLNX’s use of rootkits and Linux Pluggable Authentication Modules (PAM) to establish long term persistence. According to Trend Micro, the malware leverages rootkit functionality to conceal malicious activity, processes, and components from administrative tools and security monitoring systems.
The malware was also observed tampering with PAM, a core Linux authentication framework responsible for handling login verification across many services. By modifying PAM components, attackers can potentially capture credentials, maintain access, or bypass authentication controls even after passwords are changed.
Trend Micro warned that these techniques significantly raise the difficulty of elimination as it ensures persistence even after wiping off the visible malware artifacts.
Modular QLNX hides through spoofed processes
Trend Micro’s analysis describes QLNX as a modular Linux malware framework engineered for stealth. It relies on a layered internal logic that allows operators to dynamically load capabilities, maintain persistence, and execute commands without raising an alarm.
One particular feature highlighted by the researchers was the malware’s process spoofing behavior. It hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine administrative workflows.
“The malware attempts to evade detection by randomly selecting one of the fake kernel thread names,” the researchers said, adding that the names attempt to mimic legitimate kernel threads like “Kernel worker thread”, “CPU migration thread”, and “RCU scheduling thread,” among others. Once a name is selected, “QLNX applies the name consistently across three process metadata locations to ensure consistency across all process inspection tools,” they added.
The malware also embraces the ongoing trend of fileless delivery. “Upon execution, QLNX copies itself into an in-memory file, re-executes from that memory copy, and deletes the original binary from disk, leaving no on-disk footprint,” the disclosure added.
Trend Micro added a list of IOCs, including file hashes, hardcoded passwords, credential harvest targets, and other compilation and persistence artifacts, to support detection efforts.