{"id":60584,"date":"2026-05-04T00:00:00","date_gmt":"2026-05-04T00:00:00","guid":{"rendered":"urn:uuid:719cf5a4-8f2a-e6d6-7b35-644c3e84f841"},"modified":"2026-05-04T00:00:00","modified_gmt":"2026-05-04T00:00:00","slug":"quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","title":{"rendered":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/quasar-linux\u2013a-silent-foothold-in-the-supply-chain:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/e\/quasar-linux%E2%80%93a-silent-foothold-in-the-supply-chain.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><b><span class=\"body-subhead-title\">Conclusion<\/span><\/b><\/p>\n<p>The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.<\/p>\n<p>QLNX systematically targets the files that underpin modern software development and cloud infrastructure: <code>.npmrc<\/code> (NPM registry tokens), <code>.pypirc<\/code> (PyPI upload keys), <code>.git-credentials<\/code>, <code>.aws\/credentials<\/code>, <code>.kube\/config<\/code>, and <code>.docker\/config.json<\/code>. These are the keys to the software supply chain. A single compromised developer workstation could give the attacker the ability to publish trojanized packages to NPM or PyPI, inject backdoors into container images, or pivot from a personal laptop into production cloud environments.<\/p>\n<p>This is not a theoretical risk. The LiteLLM supply chain compromise in March 2026 followed exactly this pattern: stolen credentials from one tool were used to trojanize a Python package with 3.4 million daily downloads. QLNX&#8217;s capability set maps directly to every step of that kill chain.<\/p>\n<p>The combination of the rootkit, the PAM backdoor capable of silently intercepting plaintext passwords, and the P2P mesh network allowing implants to relay through each other all compound the difficulty of detection and eradication.<\/p>\n<p>Trend Vision One customers are protected against the indicators of compromise documented in this analysis, with access to hunting queries, threat insights, and intelligence reports related to QLNX.<\/p>\n<p><b><span class=\"body-subhead-title\">Proactive security with Trend Vision One\u2122<\/span><\/b><\/p>\n<p>Trend Vision One\u2122 is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.<\/p>\n<p><b><span class=\"body-subhead-title\">Trend Vision One\u2122 Network Security<\/span><\/b><\/p>\n<p>47135: HTTP: Backdoor.Linux.QLNX.A Runtime Detection<\/p>\n<p>47136: TCP: Backdoor.Linux.QLNX.A Runtime Detection<\/p>\n<p><b><span class=\"body-subhead-title\">Trend Vision One\u2122 Threat Intelligence<\/span><\/b><\/p>\n<p>To stay ahead of evolving threats, Trend customers can access <a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html\" target=\"_blank\">Trend Vision One\u2122 Threat Insights<\/a> (opens in a new tab) which provides the latest insights from Trend Research on emerging threats and threat actors.<\/p>\n<p><b><span class=\"body-subhead-title\">Trend Vision One\u2122 Threat Insights<\/span><\/b><\/p>\n<p><b>Emerging Threats:<\/b> Quasar Linux (QLNX): <a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html\">Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting and More<\/a><\/p>\n<p><b><span class=\"body-subhead-title\">Trend Vision One\u2122 Intelligence Reports (IOC Sweeping)<\/span><\/b><\/p>\n<p><a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html\">Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting and More<\/a><\/p>\n<p><b><span class=\"body-subhead-title\">Hunting queries<\/span><\/b><\/p>\n<p><b><span class=\"body-subhead-title\">Trend Vision One\u2122 Search App<\/span><\/b><\/p>\n<p>Trend Vision One\u2122 customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.<\/p>\n<p>Linux Hunting query for QLNX:<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/e\/quasar-linux-qlnx-a-silent-foothold-in-the-software-supply-chain.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TrendAI\u2122 Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60585,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9565,9509],"class_list":["post-60584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-data-center","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-04T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/e\/quasar-linux%E2%80%93a-silent-foothold-in-the-supply-chain.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities\",\"datePublished\":\"2026-05-04T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/\"},\"wordCount\":448,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Data center\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/\",\"name\":\"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg\",\"datePublished\":\"2026-05-04T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","og_locale":"en_US","og_type":"article","og_title":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-05-04T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/e\/quasar-linux%E2%80%93a-silent-foothold-in-the-supply-chain.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities","datePublished":"2026-05-04T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/"},"wordCount":448,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Data center","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","url":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","name":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg","datePublished":"2026-05-04T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities.jpg","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60584"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60584\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60585"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}