Quasar Linux RAT Steals Dev Credentials for Supply Chain Attacks

Security researchers at SentinelLabs have uncovered a previously undocumented Linux remote access trojan, codenamed Quasar Linux RAT (QLNX), that is being deployed in a campaign aimed squarely at software developers. The implant, delivered as a statically linked ELF binary, is designed to harvest a wide range of credentials—including SSH keys, Git tokens, and cloud service API keys—by hooking into the OpenSSH client and common version‑control binaries. Once installed, QLNX establishes a covert command‑and‑control (C2) channel using TLS‑encrypted HTTP requests to an adversary‑controlled domain, allowing the attacker to issue arbitrary commands and exfiltrate data under the radar of conventional endpoint detection.

Technical analysis reveals that QLNX achieves persistence through a disguised systemd service named 'qservice' and a malicious entry in /etc/rc.local, ensuring it survives reboots. The trojan employs a custom protocol that wraps commands in a JSON payload encrypted with AES‑256‑CBC, with RSA‑2048 key exchange for session setup. Notably, it intercepts environment variables such as GIT_ASKPASS and SSH_AUTH_SOCK, enabling it to capture credentials used by popular development tools like Visual Studio Code, JetBrains IDEs, and the Git CLI. The malware also has process‑injection capabilities, allowing it to inject its code into trusted processes such as ssh‑agent, ssh, and gpg‑agent to conceal its activity.

The campaign’s ultimate goal appears to be a classic supply‑chain compromise: by stealing the development credentials that grant write access to source repositories and package registries, the threat actors can inject malicious code into legitimate software builds. In one observed case, QLNX accessed the private GitHub repository of an open‑source networking library and attempted to modify a CI/CD pipeline script to include a backdoored DLL. The attackers then leveraged the compromised signing keys to distribute the tainted artifact through the project’s official package manager, potentially affecting thousands of downstream users.

SentinelLabs has linked the QLNX infrastructure to an advanced persistent threat (APT) group previously associated with supply‑chain attacks, although they have not publicly attributed the campaign to a specific nation‑state. To defend against this threat, organizations should enforce hardware‑backed multi‑factor authentication for all developer accounts, rotate any credentials that may have been exposed, and deploy endpoint detection rules that flag the presence of the 'qservice' systemd unit or unusual SSH agent socket modifications. Additionally, monitoring for outbound connections to the identified C2 domains and implementing network segmentation for development environments can help mitigate the risk of credential theft and subsequent supply‑chain infiltration.