The Cloud-Native Malware Framework

Jan. 13, 2026, 4:31 p.m.

Description

VoidLink is an advanced malware framework designed for Linux systems, focusing on cloud and container environments. It includes custom loaders, implants, rootkits, and modular plugins for long-term access. The framework employs a flexible architecture with a Plugin API inspired by Cobalt Strike. VoidLink uses multiple security mechanisms, including runtime code encryption and adaptive behavior based on the detected environment. Developed by Chinese-affiliated developers, it demonstrates high technical expertise across multiple programming languages. The framework includes cloud-focused capabilities, credential harvesting, and various command-and-control channels. While its intended use remains unclear, VoidLink appears to be positioned for potential commercial use.

External References

https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework
https://otx.alienvault.com/pulse/69664fd1b1289f678b6bf425
Tags
malware
linux
rootkit
plugins
stealth
cloud-native
2026-01-13
chinese-affiliated
framework
voidlink

Date

  • Created: Jan. 13, 2026, 1:59 p.m.
  • Published: Jan. 13, 2026, 1:59 p.m.
  • Modified: Jan. 13, 2026, 4:31 p.m.

Indicators

  • 15cb93d38b0a4bd931434a501d8308739326ce482da5158eb657b0af0fa7ba49
  • e990a39e479e0750d2320735444b6c86cc26822d86a40d37d6e163d0fe058896
  • 6dcfe9f66d3aef1efd7007c588a59f69e5cd61b7a8eca1fb89a84b8ccef13a2b
Download all indicators here!

Attack Patterns

  • VoidLink