GitHub Repo

Analytics Story: VoidLink Cloud-Native Linux Malware

Date: 2026-01-20 ID: 8f3e9a2c-4d7b-11ef-9c8a-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Detect and investigate VoidLink, an advanced cloud-native Linux malware framework discovered by Check Point Research in December 2025. VoidLink is a sophisticated, modular C2 framework written in Zig that targets cloud and containerized infrastructure with 30+ plugins, multiple rootkit capabilities (LD_PRELOAD, LKM, eBPF), and adaptive evasion mechanisms. The framework demonstrates commercial-grade development with Chinese-affiliated origins and is designed for long-term persistence, credential theft, and data exfiltration in AWS, GCP, Azure, Alibaba, and Tencent cloud environments. Monitor for cloud metadata service abuse, container escape attempts, systemd/cron persistence, LD_PRELOAD hijacking, kernel module loading, SSH lateral movement, and Linux-specific defense evasion techniques including log tampering and rootkit deployment. VoidLink's plugin-based architecture and cloud-first tradecraft make it particularly dangerous in modern containerized and Kubernetes environments.

Why it matters

VoidLink represents a significant evolution in Linux malware targeting cloud-native infrastructure. Discovered by Check Point Research in December 2025, this framework showcases advanced capabilities specifically designed for cloud and container environments. The malware can detect which cloud provider it's running on (AWS, GCP, Azure, Alibaba, Tencent), identify if it's in a Docker container or Kubernetes pod, and adjust its behavior accordingly. VoidLink's modular plugin system, inspired by Cobalt Strike's Beacon Object Files (BOF), allows operators to dynamically load over 30 specialized modules at runtime for reconnaissance, credential access, persistence, privilege escalation, and data exfiltration. The framework employs multiple rootkit mechanisms including user-mode LD_PRELOAD hijacking, kernel-level LKM rootkits, and modern eBPF-based hiding techniques. Its command and control infrastructure supports HTTP/HTTPS, DNS tunneling, ICMP tunneling, and P2P mesh communication between compromised hosts. VoidLink's operational security features include runtime code encryption, self-deletion upon tampering detection, and adaptive evasion that modifies behavior based on detected security products. The framework's cloud-first design includes dedicated modules for cloud metadata harvesting, container secret extraction, Kubernetes privilege escalation, and automated credential theft from cloud environments. Detection requires comprehensive visibility across Linux endpoints, container runtimes, Kubernetes audit logs, and cloud provider activity logs. Key detection opportunities include monitoring for cloud metadata service access (169.254.169.254), systemd service file creation, cron job manipulation, LD_PRELOAD environment variable usage, kernel module loading, SSH key modifications, and suspicious process execution patterns within containers. Organizations running containerized workloads in cloud environments should prioritize detection of container escape attempts, Kubernetes RBAC abuse, and cloud credential theft as VoidLink specifically targets these attack vectors for initial access and privilege escalation.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Cisco Isovalent - Access To Cloud Metadata Service Cloud Instance Metadata API Anomaly
Cisco Isovalent - Kprobe Spike Exploitation for Privilege Escalation Hunting
Cisco Isovalent - Potential Escape to Host Escape to Host Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Linux Auditd Preload Hijack Via Preload File Dynamic Linker Hijacking TTP
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Linux Sudo OR Su Execution Sudo and Sudo Caching Hunting
Linux System Network Discovery System Network Configuration Discovery Anomaly
Suspicious Linux Discovery Commands Unix Shell TTP
Suspicious wevtutil Usage Clear Windows Event Logs TTP
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Isovalent Process Connect Other cisco:isovalent:processConnect not_applicable
Cisco Isovalent Process Exec Other cisco:isovalent:processExec not_applicable
Cisco Isovalent Process Kprobe Other cisco:isovalent not_applicable
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Linux Auditd Cwd Linux icon Linux auditd auditd
Linux Auditd Path Linux icon Linux auditd auditd
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1