Cybersecurity researchers have uncovered a sophisticated Linux-based remote access trojan (RAT) known as Quasar Linux, or QLNX, that is actively targeting software developers and engineering environments. The malware is designed to steal credentials, maintain persistent remote access, and potentially facilitate larger supply chain attacks.
According to researchers, the malware demonstrates advanced persistence and evasion capabilities, allowing attackers to quietly maintain long-term access within compromised systems. Once installed, the RAT enables remote command execution, surveillance, credential theft, and exfiltration of sensitive development data, making developer environments a primary target.
The campaign appears closely linked to broader supply chain attack activity involving trojanized software installers and compromised developer ecosystems. Researchers recently connected related operations to malicious versions of Daemon Tools, where attackers injected backdoors into legitimate software distributed through official channels.
In the Daemon Tools campaign, attackers reportedly compromised signed binaries and used them to distribute malware globally across more than 100 countries. While thousands of systems received initial payloads, only a select number of high-value targets—including government, scientific, manufacturing, and retail organizations—received more advanced implants such as QUIC RAT and Quasar Linux components.
Security researchers believe the attackers used staged deployment techniques, first collecting system information at scale before selectively deploying advanced malware only to systems of strategic interest. This targeted approach suggests possible cyberespionage objectives rather than indiscriminate cybercrime.
The malware’s focus on developers is particularly concerning because compromised engineering environments can provide attackers with access to source code, signing keys, CI/CD pipelines, cloud infrastructure credentials, and software distribution channels. Such access can allow threat actors to weaponize trusted software updates and propagate attacks downstream across entire ecosystems.
The discovery highlights the growing sophistication of modern supply chain attacks, where attackers increasingly target software developers and trusted infrastructure to maximize reach while avoiding detection. Security experts are urging organizations to strengthen code-signing security, monitor developer environments closely, and implement stricter software supply chain protections.
 known as Quasar Linux, or QLNX, that is){kind=link}