Unmasking QLNX: The Stealthy Linux RAT Targeting the Software Supply Chain
In the evolving landscape of cyber threats, the most dangerous attackers aren’t just looking for data—they are looking for influence. A newly documented Linux Remote Access Trojan (RAT), dubbed QLNX, is purpose-built for this exact mission: hijacking the software supply chain by compromising the very people who build it.
We have already seen the devastating potential of “account takeover” attacks, such as the recent compromises involving the LiteLLM project on PyPI and the Axios npm package. These incidents demonstrated how a single compromised maintainer can push malicious code to millions of downstream users. QLNX weaponizes this reality by targeting developer workstations and DevOps environments to harvest the high-value secrets that control modern CI/CD pipelines.
According to researchers at Trend Micro, QLNX is a sophisticated, full-featured Linux implant. It utilizes fileless execution, advanced rootkit capabilities, and highly specialized credential harvesting to remain undetected by traditional security perimeters.
Deep Dive: Technical Architecture and Evasion
QLNX is engineered to leave as little forensic evidence as possible. It operates as a 64-bit position-independent ELF binary. Upon execution, it employs the memfd_create system call to create an anonymous file in memory, re-executing itself from this space before deleting the original on-disk binary. This “fileless” approach makes it significantly harder for traditional antivirus tools to flag the malicious process.
To maintain a low profile, the malware utilizes several sophisticated deception techniques:
- Process Spoofing: To evade inspection via
psortop, QLNX masquerades as a legitimate Linux kernel thread. It randomly adopts names likekworker/0:0,ksoftirqd/0, orrcu_schedby rewriting itsargvand using theprctlsystem call. - Environment Scrubbing: It strips sensitive environment variables like
PWDandOLDPWDto hide its launch context and uses a fake X11 lock file in/tmpto ensure only one instance runs at a time. - Extensive Persistence: QLNX offers a “choose your own adventure” of persistence. It can embed itself through
systemdservices,cronjobs, SysV init scripts, XDG autostart files,.bashrcinjections, and the highly effectiveLD_PRELOADtechnique. Every artifact it creates is tagged withQLNX_MANAGED, allowing the malware to track and manage its own presence.
Perhaps most alarming is its dual-layer approach to concealment: Userland and Kernel-level hiding.
At the userland level, QLNX uses a “compile-on-target” strategy. It carries embedded C source code for an LD_PRELOAD-based rootkit, which it compiles locally using gcc. Once installed (often as /usr/lib/libsecurityutils.so.1), it hooks fundamental libc functions like readdir, stat, and open. If a sysadmin tries to look for the malware’s files or processes, the rootkit simply tells the OS that those files “do not exist.”
For even deeper invisibility, QLNX utilizes eBPF-based rootkits. On kernels version 4.18 or higher, it acts as a user-space controller for BPF maps, allowing it to hide processes, files, and network ports directly from the kernel’s view. This level of stealth makes the malware virtually invisible to standard system monitoring tools.
The Payload: Weaponized Credential Theft
The true intent of QLNX is revealed through its internal command protocol. When the 0x90 command is issued, the malware begins a systematic vacuuming of the developer’s digital identity. It specifically hunts for:
- Identity & Access: SSH keys (
id_rsa,id_ed25519),authorized_keys, and system password hashes from/etc/shadow. - Cloud & Infrastructure: AWS configuration files, Kubernetes
kubeconfig, Dockerconfig.json, and HashiCorp Vault tokens. - Development Ecosystems:
.npmrc(npm tokens),.pypirc(PyPI keys),.git-credentials, and GitHub CLI tokens. - Session Data: Browser cookies/databases (Chrome, Firefox), shell histories, and even the current X11 clipboard contents.
To intercept real-time logins, QLNX deploys Pluggable Authentication Module (PAM) backdoors. These backdoors can capture plaintext credentials from every authentication attempt and even include a “master password” (notably OfQtYJK) that allows the attacker to bypass security entirely. Captured secrets are XOR-encrypted and stashed in hidden logs in /var/log, such as .ICE-unix, before being exfiltrated.

C2 Communication and Resiliency
QLNX communicates with its Command-and-Control (C2) servers using a custom TLS-secured protocol, though it can fallback to standard HTTP/HTTPS. Every session is marked by an ASCII handshake containing the magic value "QLNX".

Before the first connection, the implant performs “reconnaissance-by-proxy,” querying ip-api.com to determine the victim’s location. It then sends a beacon containing a detailed machine fingerprint, including the /etc/machine-id and MAC addresses. Once established, the attacker has a massive toolkit—over 58 different command IDs covering everything from SOCKS proxies and keylogging to screenshot capture and P2P mesh networking.
The P2P mesh capability is particularly dangerous; it allows compromised hosts to act as relays for one another. This creates a resilient web of infection, meaning that even if one machine is cleaned, the attacker may still maintain access to the network through another “node.”
Defense and Detection Strategies
Detecting QLNX requires moving beyond simple signature-based scanning. Security teams should prioritize the following indicators of compromise (IoCs):
- Anomalous Kernel Processes: Investigate any “kernel-style” processes (e.g.,
kworker) that appear on developer workstations or CI/CD build nodes. - Suspicious Compilation Activity: Monitor for unexpected usage of
gccor other compilers on production or developer machines, as QLNX compiles its rootkits locally. - File System Integrity: Audit
/etc/ld.so.preloadfor unauthorized shared libraries and inspect/var/logfor hidden files (e.g.,.ICE-unix). - PAM Auditing: Regularly check for unauthorized or newly added PAM modules, particularly those with names resembling legitimate security utilities.
- Service Monitoring: Watch for unauthorized
systemdservices orXDG autostartentries that carry theQLNX_MANAGEDmarker.