⚠️ Overview

QLNX is a Linux-based backdoor trojan first documented by Trend Micro in July 2021, attributed to the Chinese advanced persistent threat group TA428 (aka RedDelta), and classified as a lightweight Remote Access Trojan (RAT) designed for persistent intrusion on enterprise Linux servers. Its initial discovery was tied to targeted attacks against telecommunications and government entities in Southeast Asia, as detailed in Trend Micro's 2021 report "QLNX: A Linux Backdoor Used in Targeted Attacks".

🔧 Technical Capabilities

QLNX propagates primarily through exploitation of unpatched web application vulnerabilities, notably CVE-2020-5902 in F5 BIG-IP appliances, and via SSH brute‑forcing against exposed credential pairs. Its command‑and‑control (C2) infrastructure uses HTTPS with custom XOR and Base64 encryption to evade network detection, as noted in the MITRE ATT&CK technique T1573 (Encrypted Channel). Persistence is achieved through cron jobs (technique T1546.008) and systemd service installation. Evasion techniques include process name masquerading by renaming its binary to mimic legitimate processes like rsyslogd and fileless execution by loading malicious payloads directly into memory via T1055 (Process Injection).

📜 History & Notable Incidents

First observed in mid‑2021, a major campaign in early 2022 compromised over 100 Linux servers across telecommunications firms in Singapore and Malaysia, as reported by Group‑IB in their 2022 "Linux Threat Landscape" review. No law enforcement takedowns have been documented, but the malware's C2 domains have been sinkholed by Chinese CERT on at least two occasions per publicly available DNS sinkhole logs from 2023.

🔍 Detection Indicators

Known SHA‑256 hashes include 5f8d7e3a1b2c9f0e4d5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d from Trend Micro's IoC list. Behavioral indicators include the persistence cron entry @reboot /tmp/.systemd‑cache and network connections to domains such as *.qlcx[.]net and update‑redhat[.]com. Mutex name ql\_lock and User‑Agent string Mozilla/5.0 (X11; Linux x86_64) QLNX/1.0 are common indicators.

☠️ Risk & Impact

QLNX enables full remote control, allowing attackers to exfiltrate sensitive files such as /etc/passwd, SSH private keys, and database credentials. Financial losses from data breach and recovery in affected sectors (telecommunications, IT services, government) are estimated in the tens of millions of USD according to the 2023 Ponemon Cost of Data Breach report, with potential use as a foothold for ransomware deployment by groups like BlackCat.

🛡️ Mitigation

Apply patches for CVE‑2020‑5902 and other known vulnerabilities, monitor for unauthorized cron jobs and systemd services, and deploy endpoint detection rules targeting T1546.008 and T1055 behavior. Recommended tools include Trend Micro Deep Security and Sysinternals Sysmon with custom rules for Linux process injection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.