{"id":16181,"date":"2026-05-06T11:42:15","date_gmt":"2026-05-06T11:42:15","guid":{"rendered":"https:\/\/newestek.com\/?p=16181"},"modified":"2026-05-06T11:42:15","modified_gmt":"2026-05-06T11:42:15","slug":"new-malware-turns-linux-systems-into-p2p-attack-networks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16181","title":{"rendered":"New malware turns Linux systems into P2P attack networks"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Attackers have found a new way to turn Linux systems into stealthy supply chain distribution hubs that are resistant to takedowns.<\/p>\n

Researchers from Trend Micro have disclosed a new malware framework, dubbed Quasar Linux or QLNX, describing it as a modular Linux remote access trojan (RAT). But what sets the campaign apart is the malware using a P2P mesh capability that turns individual implants into an interconnected infection network, making the campaign difficult to kill.<\/p>\n

QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling attacker access.<\/p>\n

\u201cQuasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features,\u201d the researchers said in a blog post<\/a>. \u201cThe malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.\u201d<\/p>\n

Watching out for the threat involves setting detection for the indicators of compromise (IOCs) shared by Trend Micro, all of which are now applied to protections subscribed by Trend Vision One customers.<\/p>\n

<\/a>P2P networking and layered C2 infrastructure<\/h2>\n

The disclosure pointed at a resilient command-and-control (C2<\/a>) design meant to withstand takedowns and disruption. Researchers said QLNX supports peer-to-peer (P2P) mesh networking, allowing compromised systems to communicate with one another rather than relying entirely on centralized servers.<\/p>\n

This turns the infected Linux systems into interconnected relay points capable of maintaining communication even when portions of the infrastructure are disrupted. This is another factor contributing to the difficulty of complete elimination.<\/p>\n

The command and control (C2) operates a versatile command pack. \u201cIn total, QLNX registers 58 distinct commands, covering a broad range of post-compromise functionality, including file system manipulation, network tunneling, credential harvesting, and rootkit management,\u201d the researchers said, detailing a complete list of registered commands and their corresponding handlers.<\/p>\n

For network communication, QLNX supports raw TCP<\/a>, HTTPS, and HTTP. \u201cAll three transports carry the same underlying binary command protocol,\u201d Trend Micro wrote. \u201cBoth the TCP and HTTPS channels are secured using TLS, ensuring that command and data exchanges are encrypted during network communication.\u201d<\/p>\n

<\/a>Persistence through rootkits and PAM backdoors<\/h2>\n

The researchers also wrote of QLNX\u2019s use of rootkits and Linux Pluggable Authentication Modules (PAM) to establish long term persistence. According to Trend Micro, the malware leverages rootkit functionality to conceal malicious activity, processes, and components from administrative tools and security monitoring systems.<\/p>\n

The malware was also observed tampering with PAM, a core Linux authentication framework responsible for handling login verification across many services. By modifying PAM components, attackers can potentially capture credentials, maintain access, or bypass authentication controls even after passwords are changed.<\/p>\n

Trend Micro warned that these techniques significantly raise the difficulty of elimination as it ensures persistence even after wiping off the visible malware artifacts.<\/p>\n

<\/a>Modular QLNX hides through spoofed processes<\/h2>\n

Trend Micro\u2019s analysis describes QLNX as a modular Linux malware framework engineered for stealth. It relies on a layered internal logic that allows operators to dynamically load capabilities, maintain persistence, and execute commands without raising an alarm.<\/p>\n

One particular feature highlighted by the researchers was the malware\u2019s process spoofing behavior. It hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine administrative workflows.<\/p>\n

\u201cThe malware attempts to evade detection by randomly selecting one of the fake kernel thread names,\u201d the researchers said, adding that the names attempt to mimic legitimate kernel threads like \u201cKernel worker thread\u201d, \u201cCPU migration thread\u201d, and \u201cRCU scheduling thread,\u201d among others. Once a name is selected, \u201cQLNX applies the name consistently across three process metadata locations to ensure consistency across all process inspection tools,\u201d they added.<\/p>\n

The malware also embraces the ongoing trend<\/a> of fileless delivery. \u201cUpon execution, QLNX copies itself into an in-memory file, re-executes from that memory copy, and deletes the original binary from disk, leaving no on-disk footprint,\u201d the disclosure added.<\/p>\n

Trend Micro added a list of IOCs, including file hashes, hardcoded passwords, credential harvest targets, and other compilation and persistence artifacts, to support detection efforts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Attackers have found a new way to turn Linux systems into stealthy supply chain distribution hubs that are resistant to takedowns. Researchers from Trend Micro have disclosed a new malware framework, dubbed Quasar Linux or QLNX, describing it as a modular Linux remote access trojan (RAT). But what sets the campaign apart is the malware using a P2P mesh capability that turns individual implants into… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16181","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16181"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16181\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}