Threat Actors Abuse Fileless Execution to Spread Quasar Linux RAT

Quasar Linux (QLNX) is a sophisticated fileless Linux RAT that infects developer/DevOps workstations on mainstream distributions, using memfd_create to execute in-memory, dynamically compiling an eBPF kernel rootkit and a PAM backdoor via the host GCC to capture cleartext credentials and exfiltrate SSH keys, cloud/Kubernetes secrets, and registry tokens; it persists via /etc/ld.so.preload modifications, drops dynamically compiled shared objects (/usr/lib/libsecurity_utils.so.1, /usr/lib/.libpam_cache.so), and uses a resilient P2P mesh for C2, evading traditional EDR and static detection—report includes IOCs and detection recommendations.