VoidLink: A Cloud-Native Linux Malware Framework Targets Cloud and Containers
Check Point Research details VoidLink, a modular, cloud-first Linux malware framework designed for long-term access in cloud and container environments. Written in Zig, it features a two-stage loader, an in-memory plugin system with 37 default plugins, a web-based C2 dashboard, and adaptive stealth that tailors behavior after detecting cloud providers (AWS, GCP, Azure, Alibaba, Tencent). It supports multiple command-and-control channels (HTTP/HTTPS, DNS, ICMP) and even a potential mesh network, plus rootkit capabilities (LD_PRELOAD, eBPF, LKM) depending on kernel version, anti-analysis and self-deletion measures, and a broad plugin ecosystem for post-exploitation tasks. The framework appears to be under active development—likely commercial—raising the need for defenders to harden Linux, cloud, and container environments; as of publication, no real-world infections had been observed.
- VoidLink: The Cloud-Native Malware Framework Check Point Software
- Never-before-seen Linux malware is “far more advanced than typical” Ars Technica
- New Advanced Linux VoidLink Malware Targets Cloud and container Environments The Hacker News
- New VoidLink Cloud-Native Malware Attacking Linux Systems with Self-deletion Capabilities Cyber Security News
- Analysis of VoidLink: A Cloud-Native Malware Threat Targeting Linux Systems gbhackers.com
Reading Insights
0
1
13 min
vs 14 min read
96%
2,692 → 120 words
Want the full story? Read the original article
Read on Check Point Software