- Check Point Research Discovers Advanced Linux Malware Framework with 30+ Plugins
- VoidLink targets cloud environments, collects credentials, and scales with AWS, Azure, GCP, and more.
- There is no active abuse yet; alleged development linked to the Chinese state for espionage and persistent access
Check Point Research (CPR) has discovered an unusually advanced and previously unknown Linux malware framework called VoidLink.
In a detailed report, CPR says that VoidLink is of concern as it is a complete command and control (C2) platform with loaders, implants, rootkits and more than 30 modular add-ons.
All of these features are designed to give attackers stealthy, persistent, long-term control over compromised systems, and were being developed as of late 2025.
Are hackers preparing for something?
VoidLink is a cloud-first solution, CPR explained. After deployment, the malware fingerprints your environment to determine whether it is running on AWS, Azure, GCP, Alibaba, or Tencent Cloud, and whether it is inside Docker containers or Kubernetes pods.
It then adapts its behavior, collecting cloud metadata, API credentials, Git credentials, tokens, and secrets. Considering all this, it would seem that DevOps engineers and cloud administrators are the most likely targets.
VoidLink is also extremely stealthy. It profiles the host system, detects security tools, and calculates a risk score that then determines how aggressively or silently it is allowed to operate. On some systems, it will scan ports and network communications. In others, it won’t, all depending on how well protected the target system is.
So far, there is no evidence that the framework is being abused in the wild, says CPR. This could mean two things: the developers are currently developing the solution, with plans to offer it for sale (or rent) in the future, or they are developing it for a single, high-paying customer.
In any case, the developers are Chinese and probably affiliated with the state. If that is indeed the case, then the framework is likely being developed with cyber espionage, data theft, and persistent access in mind.
“The large number of features and its modular architecture show that the authors intended to create a sophisticated, modern and feature-rich framework,” Check Point researchers concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
