QLNX Linux RAT targets DevOps

Linux malware usually gets framed as a server problem. QLNX is different — it goes after the people and machines that publish code, hold cloud tokens, and push releases. That changes the stakes fast. A compromised developer laptop or build box is not just one endpoint. It can become a shortcut into npm, PyPI, AWS, Kubernetes, Docker, and internal CI/CD systems. (trendmicro.com) ### What is QLNX? QLNX — also called Quasar Linux — is a newly documented Linux remote-access trojan with a lot packed into it: remote control, credential theft, persistence, stealth, a PAM backdoor, and rootkit behavior. Trend Micro published the main analysis on May 4, 2026, after its hunting systems flagged an unusual low-detection Linux(trendmicro.com)ironments. (trendmicro.com) ### Why are developers the real target? Because developers sit on the keys to the kingdom. QLNX looks for the exact files that let someone publish packages, access cloud accounts, and move through deployment systems — things like `.npmrc`, `.pypirc`, `.git-credentials`, `.aws/credentials`, `.kube/config`, Docker config files, Vault tokens, (trendmicro.com). They can slip in through the software delivery chain instead. (trendmicro.com) ### How does it stay so hard to spot? The big trick is that QLNX tries to leave as little behind on disk as possible. It re-executes from an in-memory copy, deletes the original file, spoofs process names to resemble kernel worker threads, and wipes clues from its environment. That means a lot of traditional file-based scanning has less to (trendmicro.com)oise. (trendmicro.com) ### What makes the rootkit angle important? QLNX does not just arrive with every stealth component prebuilt. Trend Micro says it carries C source code for its PAM backdoor and LD_PRELOAD rootkit as strings inside the malware, then compiles those pieces on the infected host with `gcc`. That is clever for two reasons — it reduces static signa(trendmicro.com)g authentication, which gives attackers another path beyond token theft. (trendmicro.com) ### Does it only steal credentials? No — it is a full RAT. Reports describe command execution, file management, tunneling, SOCKS proxying, SSH-based lateral movement, keylogging, clipboard monitoring, and screenshot capture. There is also a peer-to-peer mesh feature, which means infected machines can help form a more resilient network inste(trendmicro.com)hole operation. (trendmicro.com) ### Why is this a supply-chain story? Because the likely payoff is downstream compromise. If an attacker steals a maintainer token or CI secret, they may be able to publish a poisoned package, alter a build pipeline, or pivot into cloud infrastructure tied to releases. One infected workstation can ripple outward to customers, users, and dep(trendmicro.com)s the developer environment itself. (trendmicro.com) ### So what should teams take from this? The lesson is not just “scan Linux harder.” It is that developer endpoints and build systems now deserve the same paranoia as production. Secrets should be short-lived, tightly scoped, and rotated often. Package publishing should use stronger controls like hardware-backed auth where possible. And any Linux host with compiler tools, cloud creds, and repo access is now a prime target — not a side system. (trendmicro.com) ### Bottom line QLNX matters because it aims at the control plane of modern software. Not the app. Not the server. The people and machines that ship the code. Once attackers start there, the blast radius gets much bigger.