The emergence of Quasar Linux RAT (QLNX) represents a significant shift in threat actor targeting strategies. Historically, the Quasar family was a commodity Windows Remote Access Trojan (RAT). Its porting to Linux signals a deliberate pivot to target the backbone of modern infrastructure: developers and DevOps engineers.
The threat here is not just the malware itself, but the objective. By compromising developer workstations and build servers, actors aim to steal SSH keys, API tokens, and source code credentials. This is the precursor to a software supply chain attack. If an attacker can exfiltrate a legitimate developer's signing key or cloud credentials, they can inject malicious code into trusted pipelines, bypassing traditional perimeter defenses entirely. Defenders must treat this not just as an endpoint infection, but as a potential enterprise-wide compromise mechanism.
Technical Analysis
Threat Overview: QLNX is a previously undocumented Linux implant based on the architecture of the Windows-based Quasar RAT. It is designed to provide persistent remote access to Linux-based systems commonly used by software engineers.
Affected Platforms:
- Operating Systems: Linux distributions (specifically targeting Ubuntu, Debian, and CentOS common in dev environments).
- Target Roles: Software developers, DevOps engineers, release managers.
Capability & Attack Chain: Unlike standard botnet malware, QLNX includes focused espionage features:
- Initial Access: Likely delivered via malicious package repositories (typosquatting), poisoned CI/CD dependencies, or spear-phishing with weaponized dev-tools.
- Persistence: Establishes a foothold using systemd services or crontabs, often masquerading as legitimate update daemons or background compilation processes.
- Credential Harvesting: Actively searches for and exfiltrates:
- SSH keys (
~/.ssh/id_rsa,~/.ssh/authorized_keys) - Cloud provider credentials (
~/.aws/credentials,~/.config/gcloud) - SCM tokens (Git, GitHub, GitLab)
- SSH keys (
- Surveillance: Includes a keylogger and clipboard monitor to intercept passwords and 2FA codes entered manually.
- Lateral Movement & Tunneling: Creates network tunnels (SOCKS proxies) to pivot from the compromised developer workstation into internal build networks or production environments.
Exploitation Status: Active exploitation has been confirmed in the wild targeting the software supply chain. No specific CVE is associated with the RAT itself (as it is a payload, not a vulnerability), but it may exploit zero-day vulnerabilities in dev-tools to gain initial root privileges if not already present.
Detection & Response
The following detection logic is designed to identify the specific post-compromise behaviors of QLNX: accessing sensitive credential directories, establishing persistence via systemd, and executing binaries from suspicious locations.
SIGMA Rules
---
title: Potential QLNX RAT - Suspicious Access to SSH Directory
id: 8a2b1c9d-0e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects processes reading SSH private keys or config files that are not the SSH client or server itself. QLNX harvests these keys for lateral movement.
references:
- https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.credential_access
- attack.t1552.001
logsource:
product: linux
category: file_access
detection:
selection:
path|contains:
- '/.ssh/id_rsa'
- '/.ssh/id_ed25519'
- '/.ssh/config'
- '/.ssh/known_hosts'
filter_main:
process|contains:
- 'ssh'
- 'sshd'
- 'git' # Git often reads ssh config for auth
- 'ansible'
condition: selection and not filter_main
falsepositives:
- Legitimate backup software scanning home directories
- Security scanners
level: high
---
title: Potential QLNX RAT - Systemd Persistence from Writable Path
id: 9b3c2d0e-1f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects creation of systemd unit files that reference executables in temporary or user-writable directories (/tmp, /var/tmp, /dev/shm), a common persistence mechanism for Linux RATs.
references:
- https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.persistence
- attack.t1543.002
logsource:
product: linux
category: file_creation
detection:
selection:
path|contains: '/etc/systemd/system/'
path|endswith: '.service'
filter_content:
content|contains:
- 'ExecStart=/tmp'
- 'ExecStart=/var/tmp'
- 'ExecStart=/dev/shm'
condition: selection and filter_content
falsepositives:
- Legitimate developer testing of systemd services
level: critical
---
title: Potential QLNX RAT - Suspicious Network Tunneling Tool Execution
id: 0c4d3e1f-2a5b-6c7d-0e8f-3a4b5c6d7e8f
status: experimental
description: Detects execution of common network proxying/tunneling utilities often spawned by RATs for C2 or lateral movement, initiated from non-standard paths.
references:
- https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.command_and_control
- attack.t1572
logsource:
product: linux
category: process_creation
detection:
selection_tools:
process|contains:
- 'socat'
- 'nc'
- 'nmap'
- 'proxychains'
selection_suspicious_path:
exec|contains:
- '/tmp'
- '/var/tmp'
- '/dev/shm'
- '.hidden'
condition: selection_tools and selection_suspicious_path
falsepositives:
- System administration tasks from temporary directories
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for processes reading sensitive credential files
// Excludes legitimate SSH and Git operations
DeviceProcessEvents
| where Timestamp > ago(7d)
| whereFolderPath has @"/.ssh/" or FolderPath has @"/.aws/" or FolderPath has @"/.config/gcloud/"
| where not(ProcessName has "ssh"
or ProcessName has "git"
or ProcessName has "aws"
or ProcessName has "gcloud"
or ProcessName has "scp")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessName, ProcessCommandLine, FolderPath
| extend FilePath = FolderPath
| order by Timestamp desc
Velociraptor VQL
-- Hunt for QLNX Indicators: Suspicious processes accessing sensitive directories
LET sensitive_dirs = glob(globs='/root/.ssh/*', '/home/*/.ssh/id_rsa', '/home/*/.ssh/config')
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
Cwd
FROM pslist()
WHERE
-- Check if process is running from a suspicious location (common malware tactic)
Exe =~ '^/tmp/'
OR Exe =~ '^/var/tmp/'
OR Exe =~ '^/dev/shm/'
OR Name IN ('socat', 'nc', 'nmap') AND Exe NOT IN ('/usr/bin/nc', '/usr/bin/socat', '/usr/bin/nmap')
Remediation Script (Bash)
#!/bin/bash
# Security Arsenal Incident Response - QLNX RAT Response Script
# Usage: sudo ./qlnx_response.sh
echo "[*] Starting QLNX RAT Investigation and Remediation..."
# 1. Check for suspicious systemd services
echo "[*] Checking for suspicious systemd services..."
SYSTEMD_UNITS=$(grep -r "ExecStart=/" /etc/systemd/system/ /lib/systemd/system/ /run/systemd/system/ 2>/dev/null | grep -E "/tmp|/var/tmp|/dev/shm|\.hidden")
if [ -n "$SYSTEMD_UNITS" ]; then
echo "[!] Suspicious systemd units found:"
echo "$SYSTEMD_UNITS"
# Note: Manual verification required before deletion to avoid system instability
else
echo "[+] No suspicious systemd units detected."
fi
# 2. Identify processes running from /tmp, /var/tmp, or /dev/shm (High Risk)
echo "[*] Scanning for processes running from temporary directories..."
SUSP_PROCS=$(ps aux | awk '{print $11}' | grep -E "^/tmp/|^/var/tmp/|^/dev/shm/")
if [ -n "$SUSP_PROCS" ]; then
echo "[!] ALERT: Processes found running from temp directories (Potential QLNX):"
ps aux | grep -E "^/tmp/|^/var/tmp/|^/dev/shm/" | grep -v grep
echo "[!] Recommend manual investigation and killing of these PIDs."
else
echo "[+] No processes running from temp directories."
fi
# 3. Check for recent modifications to SSH keys (Indicates access/harvesting)
echo "[*] Checking for recently modified SSH keys (last 24 hours)..."
find /home/*/.ssh/ /root/.ssh/ -type f -mtime -1 -exec ls -la {} \; 2>/dev/null
# 4. Network Checks (Established connections to non-standard ports)
echo "[*] Listing established connections to non-standard high ports..."
ss -tuln | grep ESTAB | awk '{print $5}' | cut -d':' -f2 | sort -u | awk '$1 > 1024'
echo "[*] Script complete. Review output above for Indicators of Compromise."
Remediation
- Isolate Affected Hosts: Immediately disconnect compromised developer workstations or build servers from the network to prevent further exfiltration or lateral movement.
- Credential Revocation (CRITICAL): Assume all credentials on the compromised host are stolen.
- Rotate all SSH keys found on the system.
- Revoke and regenerate all API tokens (AWS, GitHub, GitLab, Azure, GCP).
- Force password resets for associated accounts.
- Re-image the System: Do not attempt to clean a Linux RAT infection by simply deleting files. QLNX likely has multiple persistence mechanisms. The only safe remediation is to wipe the drive and re-image the OS from a known-good gold image.
- Audit Source Code: Conduct a forensic review of code commits pushed from the compromised machine during the dwell time to ensure no malicious code was injected into the repository.
- Harden Dev Environments:
- Enforce the principle of least privilege for build accounts.
- Implement signing requirements for all artifacts and packages.
- Restrict outbound internet access from build servers to only necessary endpoints.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.