Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that’s specifically designed for long-term, stealthy access to Linux-based cloud environments
According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular plugins that enable its operators to augment or change its capabilities over time, as well as pivot when objectives change. It was first discovered in December 2025.
“The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods,” the cybersecurity company said in an analysis published today. “VoidLink’s architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike’s Beacon Object Files (BOF) approach. This API is used in more than 30+ plug-in modules available by default.”
The findings reflect a shift in threat actors’ focus from Windows to Linux systems that have emerged as the bedrock of cloud services and critical operations. Actively maintained and evolving, VoidLink is assessed to be the handiwork of China-affiliated threat actors.
A cloud-first implant written in the Zig programming language, the toolkit can detect major cloud environments, viz. Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Alibaba, and Tencent, and adapt its behavior if it recognizes that it’s running within a Docker container or a Kubernetes pod. It can also gather credentials associated with cloud environments and popular source code version control systems such as Git.
The targeting of these services is an indication that VoidLink is likely engineered to target software developers, either with an intent to steal sensitive data or leverage the access to conduct supply chain attacks.
Some of its other capabilities are listed below –
- Rootkit-like features using LD_PRELOAD, loadable kernel module (LKM), and eBPF to hide its processes based on the Linux kernel version
- An in-memory plugin system for extending functionality
- Support for varied command-and-control (C2) channels, such as HTTP/HTTPS, WebSocket, ICMP, and DNS tunneling
- Form a peer-to-peer (P2P) or mesh-style network between compromised hosts
A Chinese web-based dashboard that allows the attackers to remotely control the implant, create bespoke versions on the fly, manage files, tasks, and plugins, and carry out different stages of the attack cycle right from reconnaissance and persistence to lateral movement and defense evasion by wiping traces of malicious activity.
