Security researchers disclosed a previously undocumented, modular Linux malware framework codenamed VoidLink that targets cloud and container environments, was first identified in December 2025, and supports 37 plugins, a technical analysis by Check Point Research said.
KEY FACTS
- Incident Modular Linux cloud malware framework
- Discovery First identified in December 2025
- Plugins Framework supports 37 plugins
- Targets Cloud platforms including AWS, Google Cloud, Azure, Alibaba and Tencent
VoidLink is a cloud native framework composed of custom loaders, implants, rootkits and modular plugins. Its design centers on a Plugin API similar to Beacon Object Files and a core orchestrator that manages command and control and task execution.
The implant is written in Zig and detects major cloud platforms such as Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba and Tencent. It adapts when it runs inside Docker containers or Kubernetes pods and can harvest credentials from cloud services and version control systems.
Capabilities include rootkit techniques using LD_PRELOAD, loadable kernel modules and eBPF to hide processes. The framework supports multiple C2 channels including HTTP, WebSocket, ICMP and DNS tunneling and can form peer to peer meshes between compromised hosts.
A web based builder panel can create customized implants and manage files, tasks and plugins. Built in plugins cover anti forensics, reconnaissance, privilege escalation, lateral movement via an SSH worm and persistence mechanisms. Anti analysis features include runtime code protection and self deletion on tampering. The framework also enumerates installed security products to compute a risk score and adapt evasion.
WHY IT MATTERS
The framework’s cloud focused functions and credential harvesting make developer environments and source code systems prime targets and could enable prolonged access that supports data theft or supply chain compromise. Detection requires cloud aware monitoring and kernel level defenses.