Quasar RAT Hits Developers With Fileless Linux Attacks

Quasar Linux (QLNX) is a sophisticated, stealthy Linux RAT observed on developer workstations and CI/CD hosts that pivots to in‑memory execution (using memfd_create/execveat), deploys a two‑tier rootkit (LD_PRELOAD userland and eBPF kernel controller), compiles per‑host shared objects (PAM backdoors, rootkit) with local gcc, and operates a P2P TLS‑wrapped C2 mesh; its primary goal is harvesting SSH keys, tokens, cloud and project secrets to enable software supply‑chain tampering. The report outlines indicators (memfd usage, /etc/ld.so.preload modifications, hidden high‑entropy files, suspicious gcc activity, custom TLS handshake identifiers) and recommends isolation, full OS reinstalls for confirmed compromises, FIM, and monitoring of PAM/ld.so.preload paths.