Security Affairs published analysis on May 9, 2026 of QLNX — a fileless Linux implant that combines an eBPF kernel rootkit with a PAM authentication backdoor — finding the malware evaded detection by all but four antivirus engines on VirusTotal, while systematically harvesting developer supply chain credentials from infected Linux CI/CD hosts.
How QLNX’s eBPF Rootkit and LD_PRELOAD Hooks Bypass Standard Linux Detection
QLNX operates entirely in memory, writing no files to disk during execution. Its evasion architecture runs on two layers. The outer layer uses LD_PRELOAD hooks to intercept standard system library calls before they reach the operating system — redirecting calls that tools like ps and netstat rely on to enumerate processes and network connections. The inner layer is a custom eBPF (extended Berkeley Packet Filter) rootkit that operates directly at the Linux kernel level, hiding the implant’s processes and network activity from the kernel data structures that standard intrusion detection systems and EDR tools query. The combination means that neither user-space security tools nor the operating system’s own reporting mechanisms accurately reflect the implant’s presence.
Detection at time of publication was limited to four solutions out of the full VirusTotal scanner set — a detection rate that reflects the effectiveness of eBPF-level concealment against signature-based and behavioral detection methods.
QLNX’s PAM Backdoor Captures SSH, sudo, and System Authentication Credentials
Beyond evading detection, QLNX deploys a backdoor into the system’s Pluggable Authentication Module (PAM) layer — the component that handles authentication across SSH logins, sudo invocations, screen unlock operations, and other authenticated system events. The PAM backdoor intercepts credentials at the moment they are presented for verification, before any cryptographic handling occurs, capturing them in plaintext. This access path reaches credentials that conventional malware cannot obtain: an SSH private key protects authentication in transit, but PAM interception captures the password at the point of entry regardless of the transport layer’s encryption.
QLNX also implements seven distinct persistence mechanisms across the infected host, ensuring reinfection survives reboots, process restarts, and partial remediation attempts that remove individual persistence artifacts but miss others.
QLNX’s 58-Command Framework Targets the Developer Supply Chain Credential Set
The implant’s command framework, encompassing 58 discrete operations, is built specifically around the credentials that give access to software supply chains and cloud infrastructure rather than the personal or financial data targeted by conventional infostealers. QLNX specifically exfiltrates npm authentication tokens, PyPI API keys, AWS credential files, Kubernetes kubeconfig files, Docker registry credentials, and GitHub personal access tokens. This credential profile is sufficient to publish malicious packages to npm or PyPI, push backdoored commits to GitHub repositories, and access cloud infrastructure through AWS — the complete set of keys required to compromise an organization’s software release pipeline or cloud environment from a single developer workstation infection.
An embedded hardcoded master password (O$f$QtYJK) in the binary allows any operator with knowledge of it to authenticate directly to any infected host without going through the malware’s normal command-and-control procedures. Security researchers identified this as an unusual operational security artifact, suggesting QLNX may be a shared tool distributed among multiple operators or a custom implant maintained by a criminal organization with internal credential-sharing.
QLNX Peer-to-Peer C2 Architecture Eliminates Single Points of Disruption
QLNX’s command-and-control infrastructure operates as a peer-to-peer mesh rather than relying on centralized command servers. Each infected host can relay commands to and from other nodes in the network, which means law enforcement or defender actions that take down individual C2 servers do not disrupt operator communications with the broader infected population. This design mirrors C2 resilience strategies previously observed in nation-state toolkits and represents an advancement over the domain-based C2 infrastructure common in earlier generations of Linux malware targeting developer environments.
Organizations running Linux CI/CD pipelines should treat QLNX’s low AV detection rate, kernel-level concealment, and supply chain credential targeting as evidence of an active threat to their software release infrastructure, not a theoretical risk requiring future investigation.
