- Check Point Research discovers an advanced Linux malware framework with 30+ plugins
- VoidLink targets cloud environments, harvesting credentials and customization for AWS, Azure, GCP and more
- No active abuse yet; suspected Chinese state-related development for espionage and continued access
Check Point Research (CPR) has uncovered a previously unknown and unusually advanced Linux malware framework called VoidLink.
In an in-depth report, CPR says VoidLink is a cause for concern as it is a full command-and-control (C2) platform with loaders, implants, rootkits and more than 30 modular plugins.
All of these features are designed to give attackers stealthy, persistent and long-term control over compromised systems and were developed as late as late 2025.
Hackers ready for something?
VoidLink is a cloud-first solution, CPR explained. After deployment, the malware fingerprints its environment to determine whether it is running on AWS, Azure, GCP, Alibaba, or Tencent Cloud, and whether it is inside Docker containers or Kubernetes pods.
It then adapts its behavior, harvesting cloud metadata, API credentials, Git credentials, tokens and secrets. All things considered, it seems that DevOps engineers and cloud administrators are the most likely targets.
VoidLink is also extremely stealthy. It profiles the host system, detects security tools and calculates a risk score, which then determines how aggressively or quietly it can operate. On some systems it will scan ports and network communications. On others it won’t – all depending on how well guarded the target system is.
So far, there is no evidence that the frames are being misused in the wild, says CPR. This can mean two things – the developers are either building out the solution with plans to offer it for sale (or rent) in the future, or they are developing it for a single, high-paying customer.
In any case, the developers are Chinese and probably state-linked. If that is indeed the case, the framework is likely being developed with cyber espionage, data theft and persistent access in mind.
“The large number of features and its modular architecture show that the authors intended to create a sophisticated, modern and feature-rich framework,” Check Point researchers concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
