Analysts have detected a highly advanced malware package built to target Linux cloud and container environments that has been developed by Chinese operatives and is intended for long-term persistence intrusions against the biggest operators on the market.

The software, dubbed VoidLink by its developers, isn’t just a simple piece of malware, but comes with 37 specific plugin modules designed with rootkits to allow persistent access, automatic code deletion to cover intrusive operations, and add links to multiple command-and-control servers via peer-to-peer and other methods, making it very hard to eliminate once installed.

It’s currently designed to target AWS, GCP, Azure, Alibaba, and Tencent systems, but Check Point said more cloud providers are also at risk from having login IDs and authentication tokens stolen. It’s also configured to recognise Kubernetes or Docker container environments and adapt its processes on the fly.

In brief: The malware's API operates on direct syscalls, bypassing libc hooks; features post-exploitation modules for automated container escape, and spins up a risk score for each environment after enumerating Linux EDRs, kernel hardening technologies, and other security components; this informs how its modules behave in an approach that CheckPoint dubs "adaptive stealth" – similarly it analyses system behaviour to automate optimal "adaptive intervals" for communication with the C2 to minimise the risk of getting spotted.

The code has significant similarities to the Cobalt Strike malware, particularly its Beacon client agent, that has been infecting Windows systems, the researchers told us, but it is entirely Linux based - written primarily in the Zig programming language.

The user interface to control attacks is written in Chinese, but with significant amounts of the code in English.

“It's probably AI-augmented English strings, probably because they use LLMs to generate code like everyone does these days, nobody codes without them,” Eli Smadja, Research Group Manager at Check Point told us.

“I guess that's probably where the English strings come from.”

The initial sample was picked up in December from Virus Total but since then new features have been added, indicating a very rapid development cycle. The sample was listed as version 3.0 and the report’s lead author, who prefers to remain nameless, said this indicates there’s a large group working on the project who have “big, big dreams, big goals, and they are iterating very fast,” he said.

While the code is advanced, it’s designed to be used by operators who don’t necessarily have the technical skills, he explained. There’s a limit on the number of operations the malware can carry out per hour, to help avoid detection, and the software automatically disguises itself by mimicking legitimate traffic and network activity without the user needing to manually configure every action.

“The malware  automatically tailors itself towards the environment, so the human operator has less room for error,” he told us.

“VoidLink takes care of being stealthy. So it has all these features which sort of try to prevent human error. There's also an indication that you can have many operators, they sit there, and the software can be sure that they don't mess up the operation. So lots of guardrails, essentially.”

The sophistication of the code indicates this is a PRC state-sponsored project, but its ease of use suggests that it might be deployed by commercial operators in the future, Check Point said. The security business has signatures that would allow VoidLink to be blocked, but given the constantly evolving state of the malware, cloud users will need to be increasingly vigilant about new variants and monitor network traffic accordingly.

See also: Critical HPE bug exploited in the wild: Is it a backdoor?












The link has been copied!