CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

VoidLink Malware Framework Targets Cloud and Container Environments

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new advanced Linux malware framework, codenamed VoidLink, has been discovered targeting cloud and container environments. Developed by China-affiliated threat actors, VoidLink is a highly modular and flexible framework designed for long-term, stealthy access to Linux-based systems. It includes custom loaders, implants, rootkits, and over 30 plugins, enabling operators to adapt its capabilities over time. The malware is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. It also gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating in-progress builds. VoidLink uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. The framework employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations.

Timeline

  1. 13.01.2026 13:57 3 articles · 1d ago

    Discovery of VoidLink Malware Framework

    In December 2025, cybersecurity researchers discovered a previously undocumented malware framework codenamed VoidLink. The framework is designed for long-term, stealthy access to Linux-based cloud environments and includes custom loaders, implants, rootkits, and over 30 modular plugins. VoidLink is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. The malware gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is assessed to be the work of China-affiliated threat actors and includes a Chinese web-based dashboard for remote control and management of the implant. VoidLink is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating ongoing development and refinement. The framework uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. VoidLink employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

CISA Adds Actively Exploited Sierra Wireless Router Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw (CVE-2018-4063) in Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, an unrestricted file upload vulnerability, allows remote code execution via malicious HTTP requests. The vulnerability, disclosed in 2019, affects the ACEManager 'upload.cgi' function in firmware version 4.9.3. It enables attackers to upload executable files with elevated privileges, as ACEManager runs as root. Forescout's honeypot analysis revealed that industrial routers are frequently targeted in OT environments, with threat actors exploiting multiple vulnerabilities to deliver botnet and cryptocurrency miner malware. A previously undocumented threat cluster, Chaya_005, weaponized CVE-2018-4063 in early 2024 but has since been deemed less significant.

Open in new tab

Active Exploitation of Critical Motex Lanscope Endpoint Manager Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2025-61932, allows attackers to execute arbitrary code on affected systems. It impacts on-premises versions of Lanscope Endpoint Manager, specifically the Client program and Detection Agent. The flaw has been actively exploited in the wild by the cyber espionage group Tick, which has been using it to deliver a backdoor called Gokcpdoor. Federal agencies are advised to apply patches by November 12, 2025. The vulnerability impacts versions 9.4.7.2 and earlier. It has been addressed in versions 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. The exact exploitation methods and threat actors were previously unknown, but an alert from the Japan Vulnerability Notes (JVN) portal and Japan's CERT Coordination Center indicated that an unnamed customer and domestic organizations received malicious packets targeting this vulnerability. The vulnerability has a CVSS v4 score of 9.8 and affects Lanscope Endpoint Manager, a unified endpoint management and security platform popular in Japan. Lanscope is deployed by one in every four listed companies and one in every three financial institutions in Japan. The flaw includes missing security checks, lack of barriers to prevent arbitrary code execution, and missing privilege checks. Motex has released a fix for the vulnerability, and it does not affect the cloud version of Lanscope. Around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of the Sophos publication. The Bronze Butler group exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. Japanese organizations face cyber threats shaped by regional geopolitics and industry profiles, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

Open in new tab

PassiveNeuron APT Campaign Targeting Government, Financial, and Industrial Sectors

A new cyber espionage campaign, dubbed PassiveNeuron, targets government, financial, and industrial organizations in Asia, Africa, and Latin America. The campaign uses Neursite and NeuralExecutor malware to infiltrate and exfiltrate data from compromised servers. The threat actors leverage compromised internal servers as an intermediate command-and-control (C2) infrastructure to evade detection. The campaign was first flagged in November 2024 and has continued through August 2025. Initial access is gained through Microsoft SQL, followed by the deployment of various implants, including Neursite, NeuralExecutor, and Cobalt Strike. The malware supports various communication protocols and includes plugins for additional capabilities.

Open in new tab

LinkPro Rootkit Exploits eBPF to Evade Detection on Linux Systems

A new Linux rootkit named LinkPro has been discovered, leveraging eBPF to hide its presence and activate via specific TCP packets. The rootkit was found during an investigation into a compromised AWS-hosted infrastructure. Attackers exploited a vulnerable Jenkins server to deploy the rootkit, which uses a combination of eBPF modules and a shared library to conceal its activities and communicate with a command-and-control (C2) server. The rootkit can operate in both passive and active modes, supporting multiple communication protocols. It achieves persistence through a systemd service and modifies system configurations to hide its presence. The attackers used a malicious Docker image and additional malware to facilitate the infection.

Open in new tab