Quasar Linux RAT (QLNX): Detection, Forensics, and Hardening for Linux DevOps

Security researchers have identified a new, sophisticated threat targeting the Linux ecosystem: the Quasar Linux RAT (QLNX). As a fileless Remote Access Trojan, QLNX represents a significant escalation in risk for development and DevOps environments. Unlike traditional malware that relies on persistent binaries on disk, QLNX operates primarily in memory, making it notoriously difficult to detect using standard file-scanning AV signatures.

The objective of QLNX is clear: espionage and persistence. By targeting developers, the threat actors aim to harvest high-value credentials, SSH keys, and intellectual property. The malware features keylogging, clipboard monitoring, file manipulation, and network tunneling capabilities. For defenders, this means the threat is not just a nuisance but a potential precursor to supply chain compromise or lateral movement into production environments. Immediate action is required to audit Linux workstations and servers for signs of this implant.

Technical Analysis

Affected Platforms: Linux distributions commonly used in development environments (Ubuntu, Debian, CentOS, Fedora).

Threat Type: Fileless Linux RAT / Remote Access Trojan.

Attack Chain and Mechanism: QLNX is designed to evade standard file-based detection mechanisms. Its "fileless" nature typically implies that the malicious payload is injected into a running process or loaded directly into memory and then the original dropper file is deleted (unlinked) from the disk.

Initial Access: While the specific vector for QLNX is often trojanized development tools or malicious packages, it generally requires user execution or a script interpreter.
Execution & Stealth: The malware executes in memory. It may hook into system libraries or utilize reflective loading to stay off the disk.
Persistence: To survive reboots despite being fileless, QLNX likely establishes persistence through mechanisms like systemd services, cron jobs, or ld.so.preload hijacking, ensuring the malicious code is re-injected into memory at startup.
C2 & Tunneling: QLNX establishes reverse shells or tunnels (likely using standard ports like 80/443 or obscure ports to bypass firewalls) to a Command and Control (C2) server, allowing remote code execution (RCE).

Exploitation Status: Confirmed active exploitation targeting developers.

Detection & Response

Given the fileless nature of QLNX, signature-based detection is insufficient. Defenders must rely on behavioral analysis, memory forensics, and anomaly detection regarding process lineage.

Sigma Rules

The following Sigma rules focus on the behavioral indicators of a fileless Linux implant and suspicious process lineage common in dev-targeting malware.

YAML

---
title: Linux Fileless Process Execution
id: 8a4c2d1e-5f6a-4b7c-9e1d-2f3a4b5c6d7e
status: experimental
description: Detects processes where the executable path indicates the file has been deleted from disk, a common technique for fileless malware like QLNX.
references:
 - https://securityaffairs.com/191898/malware/quasar-linux-rat-qlnx-a-fileless-linux-implant-built-for-stealth-and-persistence.html
author: Security Arsenal
date: 2025/04/09
tags:
 - attack.defense_evasion
 - attack.t1055
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    exe|contains: '(deleted)'
  condition: selection
falsepositives:
  - Legitimate updates where packages were replaced during execution (rare)
level: high
---
title: Linux Dev Tool Spawning Shell
id: 9b5d3e2f-6a7b-5c8d-0f2e-3g4h5i6j7k8l
status: experimental
description: Detects suspicious child processes (shells) spawned by common development tools (npm, pip, git), which may indicate a supply chain or trojanized package attack.
references:
 - https://securityaffairs.com/191898/malware/quasar-linux-rat-qlnx-a-fileless-linux-implant-built-for-stealth-and-persistence.html
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    parentImage|endswith:
      - '/npm'
      - '/pip'
      - '/pip3'
      - '/git'
    imageName|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
      - '/python'
  condition: selection
falsepositives:
  - Legitimate build scripts executing shell commands
level: medium
---
title: Linux Systemd Persistence in Temp Directory
id: 1c2b3a4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects systemd units pointing to executables in temporary directories (/tmp, /dev/shm), a common persistence mechanism for Linux RATs.
references:
 - https://attack.mitre.org/techniques/T1543/002/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.persistence
  - attack.t1543.002
logsource:
  product: linux
  category: file_event
detection:
  selection:
    targetpath|startswith: '/etc/systemd/system/'
    targetpath|endswith: '.service'
  filter:
    notargetpath|contains: 
      - '/bin/'
      - '/sbin/'
      - '/usr/'
      - '/opt/'
  condition: selection and not filter
falsepositives:
  - Administrator creating custom test services (rare in prod)
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for the core fileless indicator: running processes whose underlying executable file has been deleted. It also checks for network connections established by suspicious parent processes.

KQL — Microsoft Sentinel / Defender

// Hunt for fileless processes (exe path contains deleted)
// Ingestion via DeviceProcessEvents (Defender for Endpoints) or Syslog
DeviceProcessEvents  
| where Timestamp > ago(7d)
| where FolderPath contains "(deleted)" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend AlertDetails = "Fileless execution detected - process running from deleted path"

// Union with suspicious network connections from dev tools
| union (DeviceNetworkEvents  
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("npm", "pip", "node", "python", "unknown")
| where RemotePort in (443, 80, 8080) or RemoteIPType == "External"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend AlertDetails = "Suspicious network activity from dev tool")
| order by Timestamp desc

Velociraptor VQL

This VQL artifact is designed for live response. It hunts for processes marked as "deleted" (fileless) and checks for persistence in ld.so.preload and systemd.

VQL — Velociraptor

-- Hunt for Fileless Processes and Persistence Mechanisms
SELECT 
  Pid, 
  Name, 
  Exe, 
  CommandLine, 
  Cwd,
  Username
FROM pslist()
WHERE Exe =~ '(deleted)'

-- Check for ld.so.preload persistence (often used for stealth)
SELECT 
  FullPath,
  Size,
  Mode,
  Mtime
FROM glob(globs='/etc/ld.so.preload')

-- Enumerate Systemd services pointing to non-standard locations
SELECT 
  Name, 
  Description, 
  ExecStart, 
  SourcePath
FROM systemd_unit_list()
WHERE ExecStart =~ '/tmp/' OR ExecStart =~ '/dev/shm/'

Remediation Script (Bash)

Use this script on suspected Linux endpoints to hunt for indicators of QLNX or similar fileless implants and remove suspicious persistence mechanisms.

Bash / Shell

#!/bin/bash

# Security Arsenal - Linux Threat Hunting & Remediation Script
# Usage: sudo ./hunt_qlnx.sh

echo "[*] Starting QLNX/Linux RAT Hunt..."

# 1. Check for processes with deleted executables (Fileless Indicator)
echo "[+] Checking for fileless processes (deleted exe)..."
for pid in $(ls -1 /proc | grep -E "^[0-9]+$"); do
  if [ -L "/proc/$pid/exe" ]; then
    exe_path=$(readlink /proc/$pid/exe)
    if [[ "$exe_path" == *"(deleted)"* ]]; then
      cmd=$(cat /proc/$pid/cmdline | tr '\0' ' ')
      echo "ALERT: PID $pid is running with deleted binary: $exe_path"
      echo "Command: $cmd"
    fi
  fi
done

# 2. Check for ld.so.preload tampering
echo "\n[+] Checking /etc/ld.so.preload..."
if [ -s /etc/ld.so.preload ]; then
  echo "ALERT: /etc/ld.so.preload exists and is not empty. Contents:"
  cat /etc/ld.so.preload
else
  echo "No suspicious preload detected."
fi

# 3. Audit Systemd user and system services for obscure paths
echo "\n[+] Auditing Systemd services for /tmp or /dev/shm references..."
systemctl list-units --all --type=service --no-legend | awk '{print $1}' | while read unit; do
  # Get the ExecStart path
  exec_path=$(systemctl show -p ExecStart "$unit" 2>/dev/null | cut -d= -f2- | awk '{print $1}')
  if [[ "$exec_path" == *"/tmp"* ]] || [[ "$exec_path" == *"/dev/shm"* ]]; then
    echo "ALERT: Suspicious Service $unit pointing to $exec_path"
  fi
done

# 4. Check for suspicious Cron jobs
echo "\n[+] Checking Cron jobs..."
for user in $(cut -f1 -d: /etc/passwd); do
  crontab -u $user -l 2>/dev/null | grep -v "^#" | while read line; do
    if [[ "$line" == *"/tmp"* ]] || [[ "$line" == *"curl"* ]] || [[ "$line" == *"wget"* ]] || [[ "$line" == *"bash -i"* ]]; then
      echo "ALERT: Suspicious Cron in $user: $line"
    fi
  done
done

echo "[*] Hunt complete. Review alerts above."

Remediation

To effectively remediate and protect against QLNX and similar Linux RATs, organizations must implement the following steps immediately:

Isolate and Re-image: Due to the fileless nature of QLNX, simple file deletion is insufficient. If a host is confirmed compromised, the only guaranteed method of remediation is to isolate the system from the network and re-image the operating system from known clean media. Restoring from a backup taken after the initial compromise will simply reinstate the infection.
Audit Supply Chain: Since QLNX targets developers, audit all external packages, dependencies, and repositories used by your development teams. Block access to untrusted or public package repositories that are not strictly necessary.
Harden Persistence Vectors:
- File Integrity Monitoring (FIM): Implement FIM on critical system paths (/etc/systemd/system/, /etc/cron.d/, /etc/ld.so.preload).
- Restrict ld.so.preload: If not required by specific applications, null the file or set immutable attributes (chattr +i /etc/ld.so.preload) to prevent modification.
Update EDR Capabilities: Ensure your Endpoint Detection and Response (EDR) solution is configured to scan for memory-resident malware and can detect process unliking (fileless execution).

Official References:

Original Analysis: Security Affairs - Quasar Linux RAT
MITRE ATT&CK for Linux: MITRE ATT&CK Matrix

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub