Home > Security > Security News

VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Malware Target
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Cloud-Native Design: VoidLink is a sophisticated malware framework capable of detecting and adapting to environments like AWS, Azure, and Google Cloud.
  • Modular Architecture: Its extensive plugin system has over 30 custom modules for reconnaissance, credential harvesting, and lateral movement.
  • Adaptive Evasion: VoidLink employs advanced operational security measures, including runtime encryption and self-deletion protocols, to evade detection.

VoidLink, a new and highly sophisticated cloud-native Linux malware framework designed for persistent access and credential harvesting, autonomously surveys compromised hosts to identify specific cloud providers, such as AWS, GCP, and Alibaba Cloud, and adjusts its behavior accordingly. 

Security researchers at Check Point Research (CPR) have uncovered that the framework, a cloud-first implant written in the Zig programming language, distinguishes itself through a highly modular architecture centered around a custom development API apparently inspired by Cobalt Strike’s Beacon Object Files (BOF) approach. 

VoidLink currently supports over 30 distinct modules ranging from container escape mechanisms to "mesh" command-and-control (C2) networking. Its advanced capabilities extend to user-mode and kernel-level rootkits, and its cloud capabilities include:

VoidLink High Level Overview | Source: CPR
VoidLink High Level Overview | Source: CPR

The malware framework has multiple plugins to harvest credentials and secrets, focusing on:

VoidLink can detect AWS, GCP, Azure, Alibaba, and Tencent, and may extend to Huawei, DigitalOcean, and Vultr.

Implications for Cloud Security

The emergence of VoidLink signals an increase in threats targeting Linux-based cloud infrastructure. By integrating adaptive stealth mechanisms, such as calculating a "risk score" based on detected security products, VoidLink prioritizes operational security over performance. 

This development suggests a shift towards commercial-grade malware designed for long-term persistence. The framework appears to be built and maintained by unknown China-affiliated actors.

Organizations must bolster their defense strategies, focusing on rigorous monitoring of Linux environments to detect these evolving cybersecurity threats.

Last week, the GoBruteforcer botnet was observed deploying AI-driven tactics to target Linux servers, and access to 50 companies' cloud storage portals was auctioned using infostealer-harvested credentials.

Add a Comment
Related
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
US Court with Flag
Tennessee Man to Plead Guilty to 2023 US Supreme Court Hacking
Server Room – IoT Router
Critical Broadcom Chipset Vulnerability Disrupts Networks on ASUS Routers
E-Commerce - Websites - Laptop - Shopping Cart
New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express
Most Popular
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
US Court with Flag
Tennessee Man to Plead Guilty to 2023 US Supreme Court Hacking
Server Room – IoT Router
Critical Broadcom Chipset Vulnerability Disrupts Networks on ASUS Routers
E-Commerce - Websites - Laptop - Shopping Cart
New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Tennessee Man to Plead Guilty to 2023 US Supreme Court Hacking
Critical Broadcom Chipset Vulnerability Disrupts Networks on ASUS Routers
New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express

Most Popular
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
US Court with Flag
Tennessee Man to Plead Guilty to 2023 US Supreme Court Hacking
Server Room – IoT Router
Critical Broadcom Chipset Vulnerability Disrupts Networks on ASUS Routers
E-Commerce - Websites - Laptop - Shopping Cart
New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Tennessee Man to Plead Guilty to 2023 US Supreme Court Hacking
Critical Broadcom Chipset Vulnerability Disrupts Networks on ASUS Routers
New Magecart Skimming Network Targets Global Payment Providers on E-commerce Websites, Including Mastercard, American Express

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: