VoidLink: A Cloud-Native Linux Malware Framework Targets Cloud and Containers
Check Point Research details VoidLink, a modular, cloud-first Linux malware framework designed for long-term access in cloud and container environments. Written in Zig, it features a two-stage loader, an in-memory plugin system with 37 default plugins, a web-based C2 dashboard, and adaptive stealth that tailors behavior after detecting cloud providers (AWS, GCP, Azure, Alibaba, Tencent). It supports multiple command-and-control channels (HTTP/HTTPS, DNS, ICMP) and even a potential mesh network, plus rootkit capabilities (LD_PRELOAD, eBPF, LKM) depending on kernel version, anti-analysis and self-deletion measures, and a broad plugin ecosystem for post-exploitation tasks. The framework appears to be under active development—likely commercial—raising the need for defenders to harden Linux, cloud, and container environments; as of publication, no real-world infections had been observed.
