Update: New Voidlink Malware Framework Targets Linux Cloud Servers 2026
A newly discovered advanced cloud-native Linux malware framework named VoidLink focuses on cloud environments, providing attackers with custom loaders, implants, rootkits, and plugins designed for modern infrastructures.
VoidLink is written in Zig, Go, and C, and its code shows signs of a project under active development, with extensive documentation, and likely intended for commercial purposes.
Malware analysts at cybersecurity company Check Point say that VoidLink can determine if it runs inside Kubernetes or Docker environments and adjust its behavior accordingly.
However, no active infections have been confirmed, which supports the assumption that the malware was created "either as a product offering or as a framework developed for a customer."
The researchers note that VoidLink appears to be developed and maintained by Chinese-speaking developers, based on the interface locale and optimizations.
VoidLink is a modular post-exploitation framework for Linux systems that enables hackers to control compromised machines while staying hidden, extend functionality with plugins, and adapt behavior to specific cloud and container environments.
Once the implant is activated, it checks whether it is running in Docker or Kubernetes, and queries cloud instance metadata for providers such as AWS, GCP, Azure, Alibaba, and Tencent, with plans to add Huawei, DigitalOcean, and Vultr.
The framework collects system details such as the kernel version, hypervisor, processes, and network state, and scans for EDRs, kernel hardening, and monitoring tools.
All the information and a risk score calculated based on installed security solutions and hardening measures are delivered to the operator, allowing them to adjust module behavior, like slower port scanning and longer beaconing intervals.
The implant communicates with the operator using multiple protocols (HTTP, WebSocket, DNS tunneling, ICMP), wrapped in a custom encrypted messaging layer called 'VoidStream', which camouflages traffic to resemble normal web or API activity.
Source: BleepingComputer
