HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fileless Linux RAT “QLNX” Targets DevOps Environments, Enables Stealth Credential Theft

Researchers uncovered QLNX, a memory‑resident Linux RAT that compiles its own rootkit on the victim host, harvests developer credentials, and persists via LD_PRELOAD. Its stealth techniques make it a serious supply‑chain risk for any organization relying on third‑party Linux build or runtime environments.

LiveThreat™ Intelligence · 📅 May 10, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Fileless Linux RAT “QLNX” Targets DevOps Environments, Enables Stealth Credential Theft

What Happened – Researchers disclosed a new Linux‑only Remote Access Trojan, Quasar Linux RAT (QLNX), that lives entirely in memory, compiles its own rootkit and PAM back‑door on‑the‑fly, and uses eBPF and /etc/ld.so.preload for system‑wide interception. The implant harvests developer credentials, logs keystrokes, captures clipboard data, and creates encrypted tunnels for persistent remote access.

Why It Matters for TPRM

  • The malware’s supply‑chain focus means any third‑party development platform, CI/CD pipeline, or hosted Linux build environment can become a foothold for attackers.
  • Its file‑less, memory‑resident design evades traditional AV and endpoint controls, raising the bar for detection in vendor environments.
  • Persistence mechanisms (memfd, LD_PRELOAD, PAM modules) allow long‑term access, increasing the risk of data exfiltration and lateral movement across your ecosystem.

Who Is Affected – Technology & SaaS vendors, cloud‑hosted Linux workloads, CI/CD service providers, DevOps tooling vendors, and any organization that outsources software development or runs Linux‑based production servers.

Recommended Actions

  • Review all third‑party Linux hosts and CI/CD pipelines for undocumented binaries and abnormal LD_PRELOAD usage.
  • Enforce strict code‑signing and binary‑integrity verification for all build‑agent software.
  • Deploy memory‑analysis EDR capable of detecting file‑less implants and eBPF abuse.
  • Rotate and re‑issue any SSH keys or credentials that may have been exposed on compromised hosts.

Technical Notes – QLNX is delivered as a native ELF binary that embeds C source for a PAM back‑door and an LD_PRELOAD rootkit. It compiles these components with gcc on the victim, loads them via memfd_create, and then deletes the original file. Persistence is achieved through /etc/ld.so.preload, PAM module injection, and kernel‑thread masquerading. Communication with the C2 is encrypted, and the implant checks for containerization, SELinux status, and GCC availability before enabling features. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/191898/malware/quasar-linux-rat-qlnx-a-fileless-linux-implant-built-for-stealth-and-persistence.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →