Breaking News

New Linux Voidlink malware targets cloud and container environments

Cybersecurity researchers have uncovered a previously undocumented Linux malware framework dubbed VoidLink, designed to provide attackers with long-term, stealthy access to cloud and container environments. The malware, first detected in December 2025, is described as one of the most advanced Linux-based threats observed in recent years.

According to a new analysis published by Check Point Research, VoidLink is a highly modular, cloud-native framework built to operate reliably across modern infrastructure. It consists of multiple loaders, implants, rootkit-like components and more than 30 default plugins, allowing operators to extend or modify functionality as their objectives evolve.

“The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate over extended periods in cloud and container environments,” Check Point said, noting that VoidLink’s design resembles Cobalt Strike’s Beacon Object File model through a custom plugin API.

Built for cloud and container environments

VoidLink is written primarily in the Zig programming language and is capable of detecting major cloud platforms, including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba Cloud and Tencent Cloud. It can also determine whether it is running inside Docker containers or Kubernetes pods and adapt its behaviour accordingly.

The malware is capable of harvesting credentials linked to cloud services and source-code platforms such as Git, suggesting it may be targeting developers and cloud administrators. Researchers say this access could be leveraged to steal sensitive data or facilitate supply-chain attacks.

Among its notable features are rootkit-style techniques using LD_PRELOAD, loadable kernel modules and eBPF to hide malicious processes, as well as support for multiple command-and-control channels including HTTP, WebSocket, ICMP and DNS tunnelling. Compromised systems can also be linked together in peer-to-peer or mesh-style networks.

Advanced evasion and post-exploitation capabilities

VoidLink supports at least 37 plugins spanning reconnaissance, persistence, credential harvesting, lateral movement and anti-forensics. It can erase logs, modify shell history, perform timestomping, escape containers, and spread laterally using an SSH-based worm.

The framework includes extensive anti-analysis measures, such as detecting debugging tools, deleting itself if tampering is suspected, and using self-modifying code to evade memory scanners. It also assesses installed security controls on a host to dynamically adjust its evasion strategy.

Check Point assesses VoidLink to be actively maintained and likely linked to China-aligned threat actors, reflecting a broader shift among attackers toward Linux systems that underpin cloud infrastructure.

“VoidLink demonstrates a high level of technical sophistication,” the researchers said, warning that its adaptive design makes it a serious threat to cloud and container security.