VoidLink
VoidLink is a Linux-based, cloud-focused malware framework first publicly documented by Check Point Research in January 2026. It is described as a modular command-and-control framework designed for long-term, stealthy access to Linux systems, particularly in cloud and containerized environments. Reported capabilities include modular loaders and implants, more than 30 post-exploitation plugins, cloud and container enumeration, cloud-environment detection, and Kubernetes-aware functionality such as harvesting service account tokens, environment variables, cloud metadata, and probing for privilege escalation opportunities. Multiple sources describe dedicated plugins such as docker_escape_v3 and k8s_privesc_v3, and note targeting of cloud platforms including AWS, GCP, Azure, Alibaba Cloud, and Tencent Cloud.
A defining feature of VoidLink is its stealth and persistence stack. The framework has been reported to use userland rootkits via LD_PRELOAD, Loadable Kernel Modules (LKMs), and eBPF-based rootkits, including hybrid LKM/eBPF approaches. Elastic Security Labs and other reporting describe it as combining traditional LKMs with eBPF to maintain persistence and hide processes, files, modules, ports, and network connections. Sysdig reported adaptive rootkit deployment based on kernel version, including server-side compilation of kernel-specific modules, local control via prctl hooks, and an ICMP covert channel supporting commands such as hiding PIDs, ports, files, and self-destruction. Additional evasion behavior reported includes fileless execution using memfd_create and execveat, masquerading process names such as [kworker/0:0], anti-debugging checks, security-product awareness, traffic shaping, protocol switching, and self-deletion or self-destruct routines.
Operational reporting links VoidLink to a Chinese-speaking or Chinese-developed threat actor based on Simplified Chinese source annotations and Alibaba Cloud-linked infrastructure. Reported infrastructure and indicators include C2 IP 8.149.128.10:8080, API paths such as /stage1.bin, /api/v2/handshake, and /compile, additional infrastructure references to 116.62.172.147, default ICMP magic value 0xC0DE, default ICMP authentication/XOR key 0x42, hidden port 8080 in some deployment scripts, filesystem artifacts under /tmp and /dev/shm, and masquerade names including [kworker/0:0] and migration/0. Some variants reportedly used module names such as vl_stealth and amd_mem_encrypt.
Check Point Research and subsequent coverage characterize VoidLink as a notable early example of operational AI-assisted malware development. According to the reporting, leaked development artifacts indicated a single developer used ByteDance's TRAE SOLO AI-powered IDE and a spec-driven workflow to build the framework, producing more than 88,000 lines of functional code in about a week and reaching a functional implant around December 4, 2025. High-confidence reporting therefore associates VoidLink with AI-assisted development, but the malware's documented significance rests on its concrete capabilities: modular Linux implants, cloud-native post-exploitation, and advanced rootkit-based stealth for persistent access in modern cloud and container environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that's specifically designed for long-term, stealthy access to Linux-based cloud environments.
Check Point Research discovered the framework, called VoidLink, which is comprised of cloud-focused capabilities and modules, including custom loaders, implants, rootkits, and modular plug-ins... a rapidly developing Linux command-and-control (C2) framework, tailored towards modern cloud environments with a focus on stealth.
“VoidLink — comprised of various cloud-focused capabilities and modules and designed to maintain long-term persistent access to Linux systems — is the first case of wholly original malware being developed by AI…”
Cisco Talos recently discovered a new threat actor, UAT-9221, leveraging VoidLink in campaigns.
A newly tracked intrusion framework called VoidLink is drawing attention for its modular design and focus on Linux systems. It behaves like an implant management framework, letting operators deploy a core implant and add capabilities as needed...
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThese materials revealed that VoidLink was authored by a single developer using TRAE SOLO, the paid tier of ByteDance’s commercial AI-powered IDE... The AI agent implemented the framework sprint by sprint, with each sprint producing working, testable code.
Execution
3 techniquesAppendix B: Cortex Detections ... T1059.004 - Command and Scripting Interpreter: Unix Shell Run downloaded script using pipe in a Kubernetes pod
the malware authors embedded a complete Python control script directly in the binary
Persistence
2 techniquesElastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework that combines traditional Loadable Kernel Modules with eBPF to maintain persistence.
Privilege Escalation
3 techniquesElastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework that combines traditional Loadable Kernel Modules with eBPF to maintain persistence.
Older kernels : Remote compile LKM, load via finit_module.
The docker_escape_v3 plugin probes for escape opportunities, likely including mounted Docker socket ( /var/run/docker.sock ), privileged container detection ( --privileged ), sensitive host path mounts
Stealth
14 techniquesIt features a modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration capabilities, and more than 30 post-exploitation plugins.
The C2 address is obfuscated with XOR key 0xAA.
Fork and masquerade as [kworker/0:0] using prctl(PR_SET_NAME).
intercepts getdents64 directory listings to conceal files and processes, and filters /proc/modules and /proc/kallsyms output to erase its own traces.
The cleanup sequence includes ... log wiping ( /var/log/auth.log , /var/log/syslog , /var/log/audit/audit.log , and others)
shell history removal ( ~/.bash_history , ~/.zsh_history , ~/.python_history )
The cleanup sequence includes ... VoidLink artifact cleanup ... and self-deletion via unlink( self_path ).
The implant scans for security products through two methods: process enumeration via /proc/<pid>/comm and installation path probes.
VoidLink hides running processes, network connections, and files from administrators while receiving commands through a covert ICMP channel with no visible ports or traffic. | The eBPF component covers a gap the LKM cannot reach: hiding active connections from the ss command. | Using the Linux kernel’s function tracing framework, the LKM component hooks system calls, intercepts getdents64 directory listings to conceal files and processes, and filters /proc/modules and /proc/kallsyms output to erase its own traces. | VoidLink hides running processes, network connections, and files from administrators
Sysdig Secure customers already have rules available to detect VoidLink. These include multiple rules that detect the rootkit installation: ... Dynamic Linker Hijacking Detected
Using memfd_create followed by execveat is a well-known combination technique fileless execution.
Credential Access
3 techniquesAfter gaining access to a Kubernetes pod, one of their first objectives is to identify the pod’s associated identity... By default, pods automatically mount a Service Account Token (SAT) at /var/run/secrets/kubernetes.io/serviceaccount/token.
Leveraging this vulnerability, attackers were able to install backdoors and steal sensitive information, such as cloud credential files and database passwords.
In multiple cases, threat actors collected cloud credentials that were exposed in environment variables and cloud metadata services, using them to pivot beyond Kubernetes into the underlying cloud account.
Discovery
6 techniquesIn January 2026, Check Point Research (CPR) exposed VoidLink, a Linux-based malware framework featuring modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration, and more than 30 post-exploitation plugins.
The implant scans for security products through two methods: process enumeration via /proc/<pid>/comm and installation path probes.
In January 2026, Check Point Research (CPR) exposed VoidLink, a Linux-based malware framework featuring modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration, and more than 30 post-exploitation plugins.
It features a modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration capabilities, and more than 30 post-exploitation plugins.
The workflow of the attackers’ operations follows a distinct pattern: Enumerating the runtime environment, Extracting service account tokens, Testing API permissions, Pivoting to higher-value workloads or cloud services.
Command and Control
4 techniquesIt features a modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration capabilities, and more than 30 post-exploitation plugins.
Connect to C2 via HTTP to download /stage1.bin.
Connect to C2 via HTTP to download /stage1.bin.
protocol_switch for hot-switching between HTTP, WebSocket, and Internet Control Message Protocol (ICMP) channels.
Other
1 techniqueVoidLink implements an active anti-forensics capability... uses a kernel timer that fires every five seconds and iterates over the entire process list... checking each task's comm field against the tool list... The CentOS 7 variant goes further: It can optionally pause all hiding operations or trigger self-destruction when forensic tools are detected.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
70 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware operation discussed as apparently AI-written code, illustrating low-barrier 'vibe-coded' ransomware activity.
A cloud-focused malware framework with dedicated Kubernetes and multi-cloud credential theft capabilities. It targets Kubernetes service account tokens, environment variables, and cloud metadata to pivot across AWS, GCP, and Azure.
A Linux-based malware framework with modular C2, eBPF and LKM rootkits, cloud and container enumeration, and over 30 post-exploitation plugins. It was reportedly built by a single developer using an AI-assisted spec-driven development workflow.
A sophisticated Linux-based malware framework with modular C2, rootkit capabilities, cloud and container enumeration, and extensive post-exploitation plugins. The report emphasizes it as deployment-ready malware produced via AI-assisted, spec-driven development.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.