trend-micro - TrustStrike Labs

threat

2026-05-05

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

quasar-linux qlnx trend-micro linux-rat developer-targeting supply-chain-precursor ebpf rootkit pam-backdoor npm pypi github aws docker kubernetes fileless

Check: Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected: Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix: Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.

threat

2026-05-01

China-linked spy group has been quietly breaking into government Exchange servers across Asia and one NATO country since 2024

Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.

shadow-earth-053 china-apt trend-micro exchange iis proxylogon godzilla shadowpad dll-sideloading nato transnational-repression journalists

Check: If you run Microsoft Exchange or IIS, confirm every server is patched against ProxyLogon and recent Exchange CVEs - the entry point is unpatched 2-3 year old flaws, not zero-days.
Affected: Government and defense organizations in South, East, and Southeast Asia and the NATO European country are the named targets. Any organization running internet-facing Microsoft Exchange or IIS that has fallen behind on patching is at risk. Diaspora communities and journalists working on China-related stories are at acute risk - the campaign extends transnational repression alongside conventional espionage.
Fix: Patch Microsoft Exchange and IIS to current versions and confirm with active scanning. Hunt for Godzilla web shell artifacts: unusual .aspx files in Exchange's web directories, suspicious POSTs with encrypted payloads, and outbound HTTPS to unfamiliar domains from Exchange/IIS processes. For journalists and activists working on China topics, follow Citizen Lab guidance: hardware MFA, encrypted communications, skepticism of unsolicited story tips.