New Stealthy Quasar Linux Malware Targets Developers and Cloud Environments 

Cybersecurity researchers have discovered a dangerous Linux malware called Quasar Linux, also known as QLNX. Experts say the malware mainly targets software developers and DevOps environments. It is designed to stay hidden inside systems for long periods without getting detected. Researchers believe its main goal is to steal sensitive credentials and gain deep access to Linux machines.

Reports suggest the malware mainly targets platforms used by developers, including GitHub, AWS, Docker, Kubernetes, npm, and PyPI. Attackers can misuse stolen developer credentials to launch larger supply-chain attacks. Experts warn that hackers may upload malicious software packages or infected updates through compromised accounts. This could potentially affect thousands of users and organizations worldwide.

Researchers explained that Quasar Linux combines several dangerous functions into one toolkit. It works as a remote access trojan, credential stealer, rootkit, and surveillance tool at the same time. Once installed, attackers can remotely control infected systems without the victim noticing. Security experts say this makes the malware highly dangerous for Linux-based environments.

One of the most alarming features of the malware is its stealth capability. Researchers say Quasar Linux often runs directly in memory instead of storing visible files on disk. This fileless behavior makes detection very difficult for traditional antivirus software. The malware can also erase logs, hide processes, and remove traces used during investigations.

The malware uses multiple persistence methods to remain active even after system restarts. Researchers found that it can create systemd services, cron jobs, init.d scripts, and XDG autostart entries. It also abuses LD_PRELOAD hijacking and modifies the .bashrc file to relaunch itself automatically. These techniques make the malware difficult to completely remove from infected systems.

Security analysts also discovered advanced remote-control features inside the malware. Attackers can execute commands, transfer files, scan networks, and create SOCKS proxy connections remotely. Researchers observed that hackers can move between systems through SSH connections after infecting a developer environment. The malware also uses encrypted communication channels to hide attacker activity.

Another major concern is the malware’s ability to steal sensitive information from infected systems. Researchers say it can collect SSH keys, browser data, cloud credentials, clipboard content, and developer configuration files. Some reports also mention keylogging and clipboard monitoring features inside the malware. These stolen credentials can later be used to access cloud systems and software repositories.

Researchers also identified advanced hiding techniques used by Quasar Linux inside the Linux kernel. The malware reportedly combines an LD_PRELOAD-based rootkit with eBPF technology to conceal malicious activity. Experts warn that developers are becoming major targets because they often have access to software pipelines and production servers. Security professionals recommend stronger monitoring, regular audits, and multi-factor authentication to reduce risks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news