Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework

    Thursday, January 22, 2026 In: Threat Research Print

    Date: 01/22/2026

    Severity: High

    Summary

    VoidLink is a sophisticated malware framework composed of custom loaders, implants, rootkits, and modular plugins that enable persistent access to Linux systems. It is built to function reliably in cloud and containerized environments, with a strong focus on long-term operations.The framework features a highly modular architecture driven by a custom Plugin API inspired by Cobalt Strike’s BOF model, supporting over 30 default modules. VoidLink integrates robust OPSEC techniques such as runtime code encryption, anti-tampering self-deletion, environment-aware behavior, and both user- and kernel-level rootkits. Developed by Chinese-affiliated authors of uncertain origin, VoidLink is actively maintained and appears designed for commercial use.

    Indicators of Compromise (IOC) List

    Hash : 

    70aa5b3516d331e9d1876f3b8994fc8c18e2b1b9f15096e6c790de8cdadb3fc9

    13025f83ee515b299632d267f94b37c71115b22447a0425ac7baed4bf60b95cd

    05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69

    15cb93d38b0a4bd931434a501d8308739326ce482da5158eb657b0af0fa7ba49

    6850788b9c76042e0e29a318f65fceb574083ed3ec39a34bc64a1292f4586b41

    6dcfe9f66d3aef1efd7007c588a59f69e5cd61b7a8eca1fb89a84b8ccef13a2b

    28c4a4df27f7ce8ced69476cc7923cf56625928a7b4530bc7b484eec67fe3943

    e990a39e479e0750d2320735444b6c86cc26822d86a40d37d6e163d0fe058896

    4c4201cc1278da615bacf48deef461bf26c343f8cbb2d8596788b41829a39f3f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("70aa5b3516d331e9d1876f3b8994fc8c18e2b1b9f15096e6c790de8cdadb3fc9","15cb93d38b0a4bd931434a501d8308739326ce482da5158eb657b0af0fa7ba49","13025f83ee515b299632d267f94b37c71115b22447a0425ac7baed4bf60b95cd","28c4a4df27f7ce8ced69476cc7923cf56625928a7b4530bc7b484eec67fe3943","6850788b9c76042e0e29a318f65fceb574083ed3ec39a34bc64a1292f4586b41","05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69","4c4201cc1278da615bacf48deef461bf26c343f8cbb2d8596788b41829a39f3f","6dcfe9f66d3aef1efd7007c588a59f69e5cd61b7a8eca1fb89a84b8ccef13a2b","e990a39e479e0750d2320735444b6c86cc26822d86a40d37d6e163d0fe058896")

    Reference:

    https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/


    Tags

    MalwareChinaRootkitCobalt Strike

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.