VoidLink Linux Malware Framework

Jan 13

BLUF

A sophisticated, modular Linux framework codenamed VoidLink designed for long-term stealth in cloud and container environments, mimicking Cobalt Strike's architecture.

Cost Impact Analysis: VoidLink Linux Malware Framework

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by stealthy VoidLink compromise in cloud or containerized Linux environments, financial exposure is driven less by immediate outage and more by prolonged detection gaps, forensic uncertainty, and cloud account risk.

Executive Cost Summary

· Low-end total cost: $750K – $1.5M

· (single environment affected, early detection, limited cloud credential exposure)

· Typical expected range: $2.5M – $6M

· (persistent dwell time, multi-workload cloud investigation, partial credential rotation)

· Upper-bound realistic scenarios: $8M – $15M

· (cross-account cloud impact, regulatory review, extended forensic uncertainty)

Key Cost Drivers

· Duration of undetected attacker dwell time in cloud workloads

· Scope of cloud credential and token rotation required

· Breadth of forensic validation across containers, hosts, and control planes

· Regulatory reporting obligations tied to data access uncertainty

· Business disruption from precautionary workload rebuilds and access revocation

Targeted Sectors

· Cloud Infrastructure

· Container Environments

Countries

· Global

Date of First Reported Activity

· December 2025

Date of Last Reported Activity Update

· January 13, 2026

APT Names

· Reported to be suspected to be China-affiliated threat actors however this has not been publicly reported

Associated Criminal Organization Names

· This does not appear to be applicable at this time.

IOCs

Host-Based Indicators

· Anti-forensics and Stealth The malware uses rootkit capabilities and actively cleans system logs, command histories, and dropped files to evade detection. It also overwrites deleted files with random data to prevent forensic recovery.

· Runtime Integrity Checks VoidLink performs checks to identify potential system hooks or patches used by security tools. If tampering is detected, the malware can self-delete.

· Dynamic Code Obfuscation It utilizes self-modifying code that decrypts protected regions at runtime and re-encrypts them when not in use, evading memory scanners.

· Process and Service Enumeration Specific modules (e.g., proc_list_v3.o, service_enum_stealth_v3.o) are used to stealthily list running processes and identify services on the compromised machine.

· Timestomping The malware employs a module (timestomp_v3.o) to alter file and directory timestamps to disrupt forensic timelines.

· Direct Syscalls It operates using direct system calls to bypass standard library (libc) hooks, a common method used by security tools for monitoring

Network-Based Indicators

· Evasive C2 Communications Communication with the Command and Control (C2) server is highly obfuscated. Traffic can be hidden within standard web content (JS/CSS/HTML), PNG-like blobs, or by mimicking legitimate API traffic.

· Multiple Transport Protocols VoidLink uses a custom protocol called VoidStream that supports various transport methods, including HTTP/1.1, HTTP/2, WebSocket, DNS, and ICMP, making protocol filtering difficult.

· Cloud API Interactions A primary indicator is network traffic to cloud provider metadata APIs (AWS, GCP, Azure, Alibaba, Tencent) as the malware surveys the environment to detect which cloud it is running in.

· Potential Mesh C2 Analyzed samples contain methods for a peer-to-peer (mesh) networking approach where infected machines communicate with each other, potentially without direct outbound internet access.

Specific File Names (Associated with Plugins)

While the main implant names are dynamic, specific plugin names have been identified in analysis reports

· log_wiper_v3.o

· timestomp_v3.o

· service_enum_stealth_v3.o

· proc_list_v3.o

Tools Used

· VoidLink Implants

· Rootkits

· Modular Plugins (30+ built-in)

TTPs

Defense Evasion

· T1014 Rootkit

o Employs multiple rootkit levels, including LD_PRELOAD, Linux Kernel Modules (LKM), and eBPF programs to hide malicious processes and files.

· T1027 Obfuscated Files or Information

o Uses self-modifying code to decrypt protected regions at runtime and re-encrypt them when not in use.

· T1070.004 Indicator Removal on Host File Deletion

o Includes a self-deletion mechanism that overwrites files with random data if tampering is detected.

· T1497 Virtualization/Sandbox Evasion

o Actively surveys the environment to detect if it is running in a debugger, Docker container, or specific cloud provider (AWS, GCP, Azure) to adapt its stealth strategy.

Command and Control

· T1071.001 Application Layer Protocol Web Protocols

o Supports C2 communication over HTTP/1.1, HTTP/2, and WebSockets.

· T1095 Non-Application Layer Protocol

o Capable of communicating via ICMP for stealthy signaling.

· T1132 Data Encoding

o Mimics legitimate traffic types, such as PNG-like blobs or standard JS/CSS/HTML content, to hide exfiltrated data.

· T1573 Encrypted Channel

o Uses a custom internal protocol dubbed "VoidStream" to handle encryption and message parsing.

· T1041 Exfiltration Over C2 Channel

o Leverages its modular C2 channels for data exfiltration once a system is compromised.

Discovery

· T1082 System Information Discovery

o Enumerates hypervisors and system telemetry (CPU, memory, network) to create behavioral profiles of the host.

· T1526 Cloud Service Discovery

o Queries instance metadata via vendor APIs (e.g., AWS IMDS) to gather intelligence on the cloud environment.

· T1613 Container and Cloud Discovery

o Specifically detects if it is running within a Kubernetes pod or Docker container.

Credential Access

· T1528 Steal Application Access Token

o Targeted modules exist for extracting secrets and credentials from cloud environments and Git repositories.

Privilege Escalation

· T1611 Escape to Host

o Contains dedicated modules for automated container escapes to gain higher-level access to the host system

Malware Names

· VoidLink

Malware Sample

Sha256

21fb7f8941b929a5b18530f435c236c79b4974d41109cecb9e7098f5bbe04dd6

URL link to sample

· hxxps://www.virustotal.com/gui/file/21fb7f8941b929a5b18530f435c236c79b4974d41109cecb9e7098f5bbe04dd6/detection

CVEs & CVSS

· Not directly associated with CVE at this time

Nessus ID

· Not applicable

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Monitor for non-standard tools or unusual frequencies of access to the Instance Metadata Service (IMDS).

alert http $HOME_NET any -> 169.254.169.254 any (msg:"ET EXPLOIT Possible VoidLink Cloud Metadata Enumeration"; http.method; content:"GET"; http.uri; content:"/latest/meta-data/"; sid:1000001; rev:1;)

Detect the retrieval of .so or binary plugins from external IPs.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VoidLink Plugin Retrieval (ELF/SO)"; flow:established,to_server; content:".so"; http_uri; sid:1000002; rev:1;)

Zig-based Binary Patterns

Look for common Zig-specific artifacts in network traffic if unencrypted (e.g., specific stack trace formats or library strings).

SentinelOne

Hunt for binaries containing Zig-specific strings in their metadata or command line.

ProcessCmd matches ".*zig.*" OR FileDescription contains "Zig"

Cloud Surveying Activity: Detect the framework's attempts to identify its hosting environment.

ObjectType = "DNS" AND (DnsRequest contains "amazonaws.com" OR DnsRequest contains "googleapis.com" OR DnsRequest contains "azure.com") AND ProcessName matches ".*(void|link|implant).*"

Suspicious Plugin Loading

Monitor for the loading of modular objects in unusual directories (e.g., /tmp or /dev/shm).

EventType = "Module Load" AND ModulePath matches ".*(/tmp/|/dev/shm/).*\.so"

Splunk

Search for processes querying internal container metadata followed by external C2 activity.

splunk

index=main sourcetype="sentinelone"

| eval is_cloud_query=if(like(cmdline, "%169.254.169.254%"), 1, 0)

| stats count by endpoint_name, cmdline, dest_ip

| where is_cloud_query=1

VoidLink is known for rapid iteration of its framework. Monitor for multiple unique file hashes being written to the same directory within a short window.

index=main sourcetype="sentinelone" event_type="File Creation"

| bucket _time span=1h

| stats dc(file_hash) as unique_hashes by endpoint_name, file_path

| where unique_hashes > 5

Use code with caution.

(index=suricata event_type=alert severity=1) OR (index=sentinelone alert_type="Suspicious")

| stats dc(index) as index_count by src_ip

| where index_count > 1

Delivery Method

· Exploitation of cloud misconfigurations and container vulnerabilities.

Email Samples