top of page
Search

Voidlink Malware Raises High Alert for Cloud Systems with Custom-Built Attacks

  • Jan 22
  • 2 min read

VoidLink Malware Puts Cloud Systems on High Alert With Custom Built Attacks


Summary


Key Points:


  • VoidLink is a highly adaptable threat targeting cloud environments

  • Discovered by Check Point Research in January 2026 and reported by Hackread.com

  • This Chinese-developed framework is designed to infiltrate critical business infrastructure


Background


VoidLink is a malware that has been putting cloud environments on high alert. It was first brought to light by Check Point Research on January 14, 2026 and reported by Hackread.com.


Serverside Rootkit Compilation (SRC)


  • The Sysdig Threat Research Team (TRT) identified a groundbreaking technical feature: Serverside Rootkit Compilation (SRC)

  • Typically, hackers face a portability problem where a virus built for one version of Linux crashes on another

  • VoidLink solves this by not including a rootkit in the initial download

  • Instead, its Command-and-Control (C2) server compiles a custom rootkit on demand for each specific victim

  • The malware profiles the exact kernel version of the infected machine and sends those details to the C2

  • The server then builds a "stealth cloak" (an eBPF or LKM rootkit) made specifically for that system


The Zig Programming Choice


  • Researchers found that VoidLink is the first Chinese-language malware written in Zig

  • Zig is a modern programming language that offers a distinct advantage; security tools aren't yet tuned to recognize its specific patterns

  • This allows VoidLink's 1.2MB implant to evade standard security filters that look for C++ or Go patterns


Fileless Execution


  • VoidLink uses a three-stage delivery mechanism designed to stay entirely in memory (fileless execution)

  • Stage 0: A tiny 9KB dropper that masquerades as a background task

  • Execution: It uses specific system calls (memfd_create and execveat) to create anonymous memory files

  • Communication: It uses a covert ICMP "ping" channel to receive commands


Protecting Your Workspace


  • VoidLink is adept at hiding, so basic security scans won't detect it

  • It uses specialized plugins to escape isolated digital containers and take over Kubernetes environments

  • However, security teams can catch VoidLink before it does real damage by using tools to watch for unusual memory activity or the loading of unauthorized kernel modules


Expert's Commentary


Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, noted that while the threat is serious, the malware appears to be a work in progress. "The saving grace is that the framework was discovered as an 'in progress' build with debug symbols still embedded. This means that it is still not a finished product, and that threat actors are preparing for imminent operational deployment but have not yet begun large-scale targeting."


Sources


  • https://hackread.com/voidlink-malware-cloud-system-custom-built-attack/

  • https://www.socdefenders.ai/item/ae19bfe1-21bd-4890-86a8-f4a14299a75e

  • https://x.com/HackRead/status/2014319204388811122

  • https://www.infosecurity-magazine.com/news/voidlink-linux-malware-built-using/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page