"According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular plugins that enable its operators to augment or change its capabilities over time, as well as pivot when objectives change. It was first discovered in December 2025. "The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods," the cybersecurity company said in an analysis published today."
""VoidLink's architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike's Beacon Object Files (BOF) approach. This API is used in more than 30+ plug-in modules available by default." The findings reflect a shift in threat actors' focus from Windows to Linux systems that have emerged as the bedrock of cloud services and critical operations. Actively maintained and evolving, VoidLink is assessed to be the handiwork of China-affiliated threat actors."
VoidLink is a cloud-native, modular malware framework targeting Linux-based cloud and container environments for long-term stealthy access. The toolkit includes custom loaders, implants, rootkits, and over 30 plug-in modules driven by a Plugin API inspired by Beacon Object Files. The implant is written in Zig and can detect AWS, Google Cloud, Azure, Alibaba, and Tencent, adapting when running inside Docker containers or Kubernetes pods. VoidLink can collect cloud credentials and Git-related secrets, enabling targeting of developers and facilitating data theft or supply chain attacks. The framework is actively maintained and attributed to China-affiliated threat actors; it was discovered in December 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]