GitHub Repo

Analytics Story: VoidLink Cloud-Native Linux Malware

Updated Date: 2026-05-13 ID: 8f3e9a2c-4d7b-11ef-9c8a-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Detect and investigate VoidLink, an advanced cloud-native Linux malware framework discovered by Check Point Research in December 2025. VoidLink is a sophisticated, modular C2 framework written in Zig that targets cloud and containerized infrastructure with 30+ plugins, multiple rootkit capabilities (LD_PRELOAD, LKM, eBPF), and adaptive evasion mechanisms. The framework demonstrates commercial-grade development with Chinese-affiliated origins and is designed for long-term persistence, credential theft, and data exfiltration in AWS, GCP, Azure, Alibaba, and Tencent cloud environments. Monitor for cloud metadata service abuse, container escape attempts, systemd/cron persistence, LD_PRELOAD hijacking, kernel module loading, SSH lateral movement, and Linux-specific defense evasion techniques including log tampering and rootkit deployment. VoidLink's plugin-based architecture and cloud-first tradecraft make it particularly dangerous in modern containerized and Kubernetes environments.

Why it matters

VoidLink represents a significant evolution in Linux malware targeting cloud-native infrastructure. Discovered by Check Point Research in December 2025, this framework showcases advanced capabilities specifically designed for cloud and container environments. The malware can detect which cloud provider it's running on (AWS, GCP, Azure, Alibaba, Tencent), identify if it's in a Docker container or Kubernetes pod, and adjust its behavior accordingly. VoidLink's modular plugin system, inspired by Cobalt Strike's Beacon Object Files (BOF), allows operators to dynamically load over 30 specialized modules at runtime for reconnaissance, credential access, persistence, privilege escalation, and data exfiltration. The framework employs multiple rootkit mechanisms including user-mode LD_PRELOAD hijacking, kernel-level LKM rootkits, and modern eBPF-based hiding techniques. Its command and control infrastructure supports HTTP/HTTPS, DNS tunneling, ICMP tunneling, and P2P mesh communication between compromised hosts. VoidLink's operational security features include runtime code encryption, self-deletion upon tampering detection, and adaptive evasion that modifies behavior based on detected security products. The framework's cloud-first design includes dedicated modules for cloud metadata harvesting, container secret extraction, Kubernetes privilege escalation, and automated credential theft from cloud environments. Detection requires comprehensive visibility across Linux endpoints, container runtimes, Kubernetes audit logs, and cloud provider activity logs. Key detection opportunities include monitoring for cloud metadata service access (169.254.169.254), systemd service file creation, cron job manipulation, LD_PRELOAD environment variable usage, kernel module loading, SSH key modifications, and suspicious process execution patterns within containers. Organizations running containerized workloads in cloud environments should prioritize detection of container escape attempts, Kubernetes RBAC abuse, and cloud credential theft as VoidLink specifically targets these attack vectors for initial access and privilege escalation.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Cisco Isovalent - Kprobe Spike Exploitation for Privilege Escalation Hunting
Linux SSH Remote Services Script Execute SSH TTP
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Linux Sudo OR Su Execution Sudo and Sudo Caching Hunting
Linux System Network Discovery System Network Configuration Discovery Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs TTP
Cisco Isovalent - Potential Escape to Host Escape to Host Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Cisco Isovalent - Access To Cloud Metadata Service Cloud Instance Metadata API Anomaly
Windows Suspicious QEMU Execution Data Obfuscation, Masquerading, Malicious File, Run Virtual Instance TTP
Suspicious Linux Discovery Commands Unix Shell TTP
Linux Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux Auditd Preload Hijack Via Preload File Dynamic Linker Hijacking TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Cisco Isovalent Process Kprobe Other cisco:isovalent not_applicable
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Osquery Results Other osquery:results osquery
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Isovalent Process Exec Other cisco:isovalent:processExec not_applicable
Cisco Isovalent Process Connect Other cisco:isovalent:processConnect not_applicable
Linux Auditd Path Linux icon Linux auditd auditd
Linux Auditd Cwd Linux icon Linux auditd auditd

References

Source: GitHub | Version: 2