Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Quasar Linux (QLNX) represents a sophisticated, previously undocumented Linux remote access trojan specifically designed to target developer workstations and DevOps infrastructure environments as a beachhead for software supply chain compromise operations. While security researchers have not yet identified the initial QLNX infection vector, the malware immediately transitions into stealth-focused deployment upon execution, leveraging the Linux memfd_create system call to load itself directly into memory, re-execute from the in-memory copy, and erase the original binary from disk, effectively eliminating its filesystem footprint. To prevent repeated execution loops, QLNX relies on the MFD_RE environment variable as an execution safeguard, while older Linux systems that do not support memfd execution are handled through a fallback mechanism utilizing /proc/self/fd pseudo-filesystem access. The malware further masks its malicious activity by impersonating legitimate Linux kernel thread names including [kworker/0:0], [ksoftirqd/0], and [rcu_sched], while systematically clearing forensic environment variables that could expose execution context or launch mechanisms to security analysts and incident responders.
Following initial compromise, QLNX malware performs extensive system reconnaissance to assess victim capabilities and security posture, checking for root privilege access, kernel version information, SELinux enforcement status, containerized environment indicators, GCC compiler availability for on-target compilation, X11 display server access for graphical capture, and accessibility to /dev/input devices for keyboard monitoring. Based on reconnaissance findings, QLNX selectively activates different operational modules from its extensive capability set. Security researchers analyzing QLNX have identified 58 separate command handlers integrated into its command-and-control framework, enabling execution of comprehensive offensive operations. System persistence is maintained through seven independent mechanisms spanning both user-level and system-level approaches including systemd service installation, cron job scheduling, SysVinit initialization scripts, XDG autostart entries, .bashrc shell configuration modifications, and LD_PRELOAD shared library injection. Every QLNX persistence component contains the QLNX_MANAGED marker for internal tracking purposes. Among these persistence techniques, the LD_PRELOAD dynamic linker hijacking method is particularly resilient, forcing QLNX malware to relaunch whenever dynamically linked applications execute, enabling survival even after termination of primary malware processes.
To maintain stealth and evade detection, QLNX employs a sophisticated dual-layer rootkit architecture combining both userland and kernel-level concealment capabilities. The LD_PRELOAD userland rootkit component is compiled directly on victim systems using embedded C source code and GCC compiler availability, hooking critical libc library functions including readdir, stat, open, and access to hide malware components, credential log files, PAM backdoor modules, and malicious running processes from system administrators and security tools. Operating in parallel, an eBPF-based kernel rootkit component manipulates kernel-level Berkeley Packet Filter maps to conceal processes, filesystem objects, and network port listeners from monitoring utilities like ps, ls, and netstat commands. This kernel-level concealment component requires Linux kernel version 4.18 or newer along with root privileges for eBPF program loading. QLNX also deploys a Pluggable Authentication Modules inline-hook backdoor capable of intercepting plaintext credentials during authentication events, including a hardcoded master password (O$$f$QtYJK) enabling attackers to bypass legitimate authentication controls, and logging outbound SSH session activity to monitor lateral movement attempts. Stolen credentials are XOR-encrypted and stored in hidden log locations including /var/log/.ICE-unix and /var/log/.Test-unix, while an additional PAM credential harvester logs usernames, service identifiers, and authentication tokens into /tmp/.pam_cache.
When instructed by remote operators, QLNX executes large-scale credential and sensitive data harvesting operations extracting SSH private keys, browser-stored credentials from Chrome, Chromium, and Firefox password managers, cloud provider and developer tool configuration files, Git repository credentials, Kubernetes kubeconfig files, Docker registry credentials, HashiCorp Vault authentication tokens, Terraform state files and secrets, shell command histories, X11 clipboard contents, and /etc/shadow password hashes when operating with elevated privileges. Communication with QLNX operators occurs through a custom binary protocol transported over TLS, HTTPS, or HTTP channels, all utilizing identical framing structures identified by the QLNX magic header signature. Beacon traffic transmitted from compromised systems includes comprehensive system profiling information, geolocation data obtained from ip-api.com services, and unique machine fingerprints derived from hardware identifiers for tracking and attribution purposes.
Beyond credential theft operations, QLNX incorporates extensive offensive capabilities including TCP tunneling, SOCKS proxy services, port forwarding, network packet capture, port scanning reconnaissance, SSH-based lateral movement, in-memory shared object execution, process injection using ptrace debugging interfaces and /proc/pid/mem manipulation, Beacon Object File (BOF/COFF) execution for modular post-exploitation, screenshot capture, keystroke logging, clipboard monitoring with SHA256-based deduplication preventing redundant exfiltration, real-time filesystem monitoring via inotify kernel subsystem, timestomping for anti-forensics, and comprehensive system log wiping capabilities. One of QLNX’s most sophisticated features is peer-to-peer mesh networking capability allowing compromised systems to operate as resilient relay nodes, creating distributed command-and-control infrastructure that significantly complicates disruption efforts and enables continued operations even when primary C2 servers are taken offline or blocked by network security controls.
Quasar Linux malware employs sophisticated fileless execution techniques to evade filesystem-based detection and forensic analysis. Upon initial execution, QLNX leverages the Linux memfd_create system call to create an anonymous memory file descriptor, loads its complete executable image directly into this memory-backed file descriptor, re-executes itself from the in-memory copy using execveat system call, and immediately erases the original binary from disk storage, effectively eliminating its filesystem footprint. To prevent infinite re-execution loops during this transition, QLNX checks for the presence of the MFD_RE environment variable as an execution state indicator. Older Linux systems lacking memfd_create support (kernels predating version 3.17) are handled through a fallback mechanism utilizing /proc/self/fd pseudo-filesystem access for similar fileless execution capabilities. Following successful in-memory deployment, QLNX systematically impersonates legitimate Linux kernel thread naming conventions including [kworker/0:0], [ksoftirqd/0], and [rcu_sched] to blend malicious processes with normal system activity, while simultaneously clearing forensic environment variables including argv[0], environment strings, and process command-line arguments that could expose launch context, parent processes, or execution paths to security analysts performing incident response or system audits.
After establishing its initial foothold, QLNX malware performs comprehensive system reconnaissance to assess victim capabilities, security posture, and available attack surfaces for tailored post-exploitation operations. The reconnaissance module systematically checks for effective user ID zero indicating root privileges, extracts kernel version information via uname system calls to assess exploit applicability, queries SELinux enforcement status through /sys/fs/selinux/enforce to understand mandatory access control restrictions, detects containerized environments by examining cgroup hierarchies and container runtime indicators, verifies GCC compiler toolchain availability required for on-target rootkit compilation, tests X11 display server connectivity for graphical capture capabilities, and probes /dev/input device accessibility for hardware keystroke interception. Based on collected reconnaissance intelligence, QLNX selectively activates appropriate operational modules from its extensive capability set. Security researchers reverse-engineering QLNX samples have identified 58 distinct command handler functions integrated into its command-and-control framework, enabling comprehensive remote access operations. QLNX establishes system persistence through seven independent mechanisms providing redundancy across both user-level and system-level privilege contexts, including systemd service unit installation, cron job scheduling, SysVinit initialization scripts, XDG Desktop autostart entries, .bashrc shell configuration modifications for user-level persistence, and LD_PRELOAD environment variable manipulation forcing dynamic linker hijacking. All QLNX persistence components embed the QLNX_MANAGED text marker enabling internal tracking and coordination across distributed malware modules.
To maintain operational stealth and evade security monitoring, QLNX implements a sophisticated dual-layer rootkit architecture combining userland function hooking with kernel-level concealment capabilities. The LD_PRELOAD userland rootkit component is compiled directly on compromised victim systems using embedded C language source code and leveraging GCC compiler availability discovered during reconnaissance, hooking critical GNU C Library functions including readdir for directory enumeration concealment, stat and lstat for file metadata manipulation, open and openat for file access interception, and access for permission check manipulation. These hooked libc functions systematically hide QLNX malware components, stolen credential log files, PAM backdoor shared objects, and malicious process entries from system administrators, security tools, and forensic investigators. Operating in parallel with userland concealment, an eBPF-based kernel rootkit component manipulates kernel-level Berkeley Packet Filter maps to conceal process identifiers, filesystem directory entries, and listening network port bindings from monitoring utilities including ps process listing, ls directory enumeration, and netstat network connection display commands. This kernel-level rootkit functionality requires Linux kernel version 4.18 or newer for eBPF program support, along with CAP_SYS_ADMIN or CAP_BPF kernel capabilities typically requiring root privileges.
QLNX deploys a sophisticated Pluggable Authentication Modules inline-hook backdoor providing both credential theft capabilities and persistent authentication bypass mechanisms. The PAM backdoor module is capable of intercepting plaintext passwords during all system authentication events including SSH remote access, sudo privilege escalation, su user switching, login console access, and graphical desktop manager authentication. The PAM module includes a hardcoded master password string (O$$f$QtYJK) enabling QLNX operators to bypass legitimate authentication controls and obtain immediate system access regardless of actual user passwords, providing emergency access even if primary backdoors are discovered and removed. The PAM backdoor also logs all outbound SSH connection attempts including destination hostnames, usernames, and authentication credentials to monitor lateral movement opportunities and credential reuse patterns across the victim’s infrastructure. Stolen credentials are encrypted using simple XOR obfuscation and stored in hidden filesystem locations designed to evade casual inspection including /var/log/.ICE-unix and /var/log/.Test-unix paths masquerading as X11 Inter-Client Exchange and X11 test directories. An additional PAM credential harvesting module logs authentication usernames, service identifiers (ssh, sudo, login), and authentication tokens including passwords and SSH keys into /tmp/.pam_cache temporary storage for periodic exfiltration to command-and-control infrastructure.
When instructed by remote operators through command-and-control channels, QLNX executes comprehensive credential and sensitive data harvesting operations specifically targeting software development, DevOps, and cloud infrastructure assets. The credential harvesting module systematically extracts SSH private keys from ~/.ssh/ directories including id_rsa, id_ed25519, and id_ecdsa identity files, browser-stored credentials from Chrome, Chromium, and Firefox password managers by decrypting SQLite database files, cloud provider configuration files including AWS credentials (~/.aws/credentials), Google Cloud credentials (~/.config/gcloud/), Azure credentials (~/.azure/), Git version control credentials from ~/.git-credentials and ~/.netrc files, Kubernetes cluster authentication from ~/.kube/config files containing service account tokens and client certificates, Docker registry credentials from ~/.docker/config.json, HashiCorp Vault authentication tokens from ~/.vault-token, Terraform state files and variable definitions containing infrastructure secrets, shell command histories (~/.bash_history, ~/.zsh_history) revealing sensitive commands and credentials, X11 clipboard contents for credential capture during password manager usage, and /etc/shadow password hash files when QLNX operates with root privileges. This comprehensive credential theft specifically targets assets enabling software supply chain compromise through developer account takeover and package registry access, or lateral movement into cloud production environments through harvested infrastructure credentials.
Beyond credential theft operations, QLNX incorporates extensive offensive capabilities supporting comprehensive post-exploitation operations. The malware implements TCP traffic tunneling and SOCKS proxy services enabling pivoting through compromised developer workstations to reach internal network resources, port forwarding for network service exposure, raw packet capture for network reconnaissance, port scanning for internal asset discovery, SSH-based lateral movement using stolen private keys, in-memory shared object execution avoiding filesystem artifacts, process injection using ptrace debugging interfaces and /proc/pid/mem memory manipulation, Beacon Object File (BOF/COFF) execution enabling modular capabilities without full binary deployment, screenshot capture for visual reconnaissance, hardware and software keystroke logging, clipboard monitoring with SHA256-based deduplication preventing redundant data exfiltration, real-time filesystem monitoring via inotify kernel subsystem detecting file creation and modification events, timestomping anti-forensics capabilities manipulating file modification times, and comprehensive system log wiping targeting /var/log/ contents. One of QLNX’s most sophisticated features is peer-to-peer mesh networking capability allowing compromised developer workstations to function as resilient relay nodes, creating distributed command-and-control infrastructure where infected systems communicate through multiple redundant paths, significantly complicating network-based disruption efforts and enabling continued operations even when primary C2 servers are identified, blocked, or taken offline by defenders.
Organizations must deploy security detection rules specifically targeting memfd_create and execveat system calls that QLNX leverages for in-memory fileless execution. Implement endpoint detection and response monitoring generating high-priority security alerts when processes execute from /proc/self/fd pseudo-filesystem paths or memfd: anonymous file descriptors, as legitimate applications rarely utilize these execution patterns. Configure behavioral analysis rules identifying processes that delete their own executable binaries immediately after launch, a characteristic anti-forensics technique employed by QLNX. Deploy kernel-level security monitoring through audit subsystem rules or eBPF-based security tools capturing suspicious system call sequences including memfd_create immediately followed by execveat, indicative of fileless malware deployment tactics.
Organizations should implement regular integrity audits of /etc/ld.so.preload system-wide dynamic linker configuration file for unauthorized shared library entries, and comprehensively verify the cryptographic integrity of all PAM module files under /usr/lib/security/, /lib/security/, /usr/lib64/security/, and /lib64/security/ directories against trusted package manager checksums. Any unrecognized shared object files including names matching QLNX indicators such as libsecurity_utils.so.1, pam_security.so, .libpam_cache.so, or similar security-themed naming conventions should be immediately treated as indicators of compromise requiring urgent incident response. Establish file integrity monitoring with real-time alerting on modifications to PAM configuration files in /etc/pam.d/ directory and LD_PRELOAD environment variables in user shell configurations, systemd service definitions, and system-wide environment files.
QLNX malware requires GCC compiler toolchain availability to compile its LD_PRELOAD userland rootkit and PAM backdoor modules directly on target victim systems. Organizations should severely limit compiler availability to dedicated isolated build environments and remove development toolchains including gcc, g++, clang, and associated build utilities from production servers, cloud instances, and general-purpose developer workstations where runtime compilation is not operationally required. Implement application whitelisting or mandatory access control policies restricting execution of compiler binaries to specific build service accounts in controlled environments. Deploy detection rules alerting on unexpected compiler process execution outside of authorized build pipelines, particularly focusing on compilation activities in temporary directories (/tmp/, /var/tmp/) characteristic of on-target malware compilation.
Organizations must establish file integrity monitoring with real-time alerting capabilities covering critical system paths that QLNX targets for persistence and credential theft. Monitor for unauthorized modifications to /etc/ld.so.preload dynamic linker configuration, all files within /etc/pam.d/ authentication module configuration directory, systemd service unit directories (/etc/systemd/system/, /usr/lib/systemd/system/), crontab entries and cron.d directory contents, SysVinit scripts in /etc/init.d/ and /etc/rc*.d/ directories, user shell configuration files including .bashrc, .bash_profile, .profile, and XDG autostart locations in ~/.config/autostart/. Alert on creation of files matching QLNX artifact naming patterns including /tmp/.X*-lock, /tmp/.pam_src_, /tmp/.hide_src_, /tmp/.pam_cache, /var/log/.ICE-unix, /var/log/.Test-unix, and hidden shared objects in library paths. Deploy security information and event management correlation rules identifying combinations of these indicators suggesting active QLNX deployment.
If QLNX compromise is suspected or confirmed within developer or DevOps environments, organizations must immediately revoke and rotate all software supply chain credentials and cloud infrastructure access tokens stored on potentially affected workstations. This emergency credential rotation must include NPM registry authentication tokens (.npmrc configuration files), PyPI package repository credentials (.pypirc files), Git version control credentials including GitHub, GitLab, and Bitbucket personal access tokens, AWS IAM access keys and secret keys, Kubernetes service account tokens and kubeconfig files, Docker Hub and container registry credentials, GitHub CLI authentication tokens, HashiCorp Vault authentication tokens, Terraform Cloud or Terraform Enterprise credentials, and SSH private keys used for infrastructure access. Implement detection monitoring for unauthorized package publishing attempts on NPM and PyPI registries using compromised credentials, and establish enhanced logging and approval workflows for all package publication operations during incident response and recovery periods.
Organizations must mandate multi-factor authentication for all package publishing operations on NPM, PyPI, RubyGems, and other software package registries to prevent attackers from leveraging stolen authentication tokens to publish trojanized packages through compromised developer accounts. Implement organizational policies requiring hardware security keys or time-based one-time passwords for package registry authentication, preventing reliance solely on bearer tokens that QLNX can exfiltrate from developer workstations. Establish code signing requirements for published packages using separate offline signing keys not stored on developer workstations, creating defense-in-depth even if package registry credentials are compromised. Deploy package registry security monitoring detecting anomalous publishing patterns including unusual package updates, new package publications from dormant accounts, or publications from unexpected geographic locations or IP addresses.
T1059: Command and Scripting Interpreter T1059.004: Unix Shell – QLNX leverages Unix shell interpreters for initial deployment, persistence script execution, and post-exploitation operations.
T1106: Native API – QLNX directly invokes Linux system calls including memfd_create, execveat, ptrace, and eBPF program loading for fileless execution and advanced capabilities.
T1543: Create or Modify System Process T1543.002: Systemd Service – QLNX establishes persistence through creation of malicious systemd service units with QLNX_MANAGED markers.
T1053: Scheduled Task/Job T1053.003: Cron – QLNX schedules periodic execution through cron jobs and crontab modifications for user-level and system-level persistence.
T1546: Event Triggered Execution T1546.004: Unix Shell Configuration Modification – QLNX modifies .bashrc, .bash_profile, and shell initialization scripts for persistence triggered on user login.
T1574: Hijack Execution Flow T1574.006: Dynamic Linker Hijacking – QLNX abuses LD_PRELOAD environment variable and /etc/ld.so.preload configuration for persistent execution via dynamic linker hijacking.
T1014: Rootkit – QLNX implements dual-layer rootkit architecture combining LD_PRELOAD userland hooks with eBPF kernel-level concealment.
T1070: Indicator Removal T1070.002: Clear Linux or Mac System Logs – QLNX wipes system logs from /var/log/ to remove forensic evidence of malicious activity. T1070.004: File Deletion – QLNX deletes original binary from disk after fileless memory deployment via memfd_create. T1070.006: Timestomp – QLNX manipulates filesystem modification timestamps for anti-forensics purposes.
T1036: Masquerading T1036.004: Masquerade Task or Service – QLNX masquerades as legitimate kernel threads using names like [kworker/0:0], [ksoftirqd/0], and [rcu_sched].
T1620: Reflective Code Loading – QLNX loads executable code directly into memory without touching disk using memfd_create and execveat.
T1027: Obfuscated Files or Information – QLNX obfuscates stolen credentials using XOR encryption before storage in hidden log files.
T1556: Modify Authentication Process T1556.003: Pluggable Authentication Modules – QLNX deploys PAM backdoor modules intercepting plaintext credentials during authentication with hardcoded master password bypass.
T1555: Credentials from Password Stores T1555.003: Credentials from Web Browsers – QLNX extracts credentials from Chrome, Chromium, and Firefox password manager databases.
T1552: Unsecured Credentials T1552.001: Credentials In Files – QLNX harvests credentials from configuration files including .npmrc, .pypirc, .aws/credentials, .kube/config, and .docker/config.json. T1552.004: Private Keys – QLNX steals SSH private keys from ~/.ssh/ directories for lateral movement and infrastructure access.
T1082: System Information Discovery – QLNX performs comprehensive system reconnaissance including kernel version, SELinux status, containerization detection, and compiler availability.
T1057: Process Discovery – QLNX enumerates running processes to identify security tools and select injection targets.
T1049: System Network Connections Discovery – QLNX discovers active network connections for lateral movement target identification.
T1021: Remote Services T1021.004: SSH – QLNX performs SSH-based lateral movement using stolen private keys and harvested credentials.
T1056: Input Capture T1056.001: Keylogging – QLNX implements keystroke logging capturing passwords and sensitive input.
T1113: Screen Capture – QLNX captures screenshots from X11 display servers for visual reconnaissance.
T1115: Clipboard Data – QLNX monitors clipboard contents with SHA256-based deduplication for credential theft.
T1071: Application Layer Protocol T1071.001: Web Protocols – QLNX communicates with operators using custom binary protocol over TLS, HTTPS, and HTTP.
T1095: Non-Application Layer Protocol – QLNX supports raw TCP communication channels for command-and-control.
T1573: Encrypted Channel T1573.002: Asymmetric Cryptography – QLNX encrypts C2 communications using TLS with custom protocol framing.
T1090: Proxy T1090.001: Internal Proxy – QLNX implements SOCKS proxy and port forwarding for pivoting through compromised developer workstations.
T1104: Multi-Stage Channels – QLNX establishes peer-to-peer mesh networking allowing compromised systems to relay communications creating resilient distributed C2 infrastructure.
T1041: Exfiltration Over C2 Channel – QLNX exfiltrates stolen developer credentials, cloud access keys, and SSH private keys over encrypted command-and-control channels.
SHA256 Hashes:
SHA1: b0f2c668cbdd63a871c90592b6c93e931115872e
MD5: 70f70743f287a837d17c56933152a8a6
File Names:
File Paths:
Get through updates and upcoming events, and more directly in your inbox