A newly discovered advanced cloud-native Linux malware framework named VoidLink focuses on cloud environments, providing attackers with custom loaders, implants, rootkits, and plugins designed for modern infrastructures.
VoidLink is written in Zig, Go, and C, and its code shows signs of a project under active development, with extensive documentation, and likely intended for commercial purposes.
Malware analysts at cybersecurity company Check Point say that VoidLink can determine if it runs inside Kubernetes or Docker environments and adjust its behavior accordingly.
However, no active infections have been confirmed, which supports the assumption that the malware was created "either as a product offering or as a framework developed for a customer."
The researchers note that VoidLink appears to be developed and maintained by Chinese-speaking developers, based on the interface locale and optimizations.
VoidLink builder panel
Source: Check Point
VoidLink capabilities
VoidLink is a modular post-exploitation framework for Linux systems that enables hackers to control compromised machines while staying hidden, extend functionality with plugins, and adapt behavior to specific cloud and container environments.
Once the implant is activated, it checks whether it is running in Docker or Kubernetes, and queries cloud instance metadata for providers such as AWS, GCP, Azure, Alibaba, and Tencent, with plans to add Huawei, DigitalOcean, and Vultr.
... continue reading