VoidLink modular Linux malware framework for cloud and container operations
Malware Activity
Summary
Hide ▲
Show ▼
Researchers uncovered VoidLink, a new Linux malware framework that expands C2, persistence, and post-exploitation options against cloud and container environments. The modular platform includes over 30 plugins, a web-based operator panel, and a custom Plugin API for reconnaissance, lateral movement, privilege escalation, and anti-forensic evasion. Investigators have seen no real-world infections, but the framework is actively evolving and appears to be built by Chinese-speaking developers. Its design suggests a flexible launchpad for deeper access to compromised Linux systems and cloud estates.
Related Happenings
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/Service
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/ServiceAbout this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Latest development: 23.05.2026 14:55
Anthropic said Project Glasswing has uncovered more than 10,000 high- or critical-severity vulnerabilities across widely used software since the program launched last month, including 6,202 high/critical flaws affecting more than 1,000 open-source projects, 1,726 validated true positives, 1,094 high/critical flaws, a critical WolfSSL flaw tracked as CVE-2026-5194 with CVSS score 9.1, 97 upstream patches, and 88 advisories.
Cloud environments third-party flaw exploitation wave
Exploitation Wave
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Timeline
-
21.01.2026 14:51 1 articles · 4mo ago
Check Point says VoidLink was largely built by AI
Technical Analysis UpdateCheck Point Research concluded that the VoidLink Linux malware targeting Linux-based cloud servers was largely built by AI, likely under the direction of one person, after reviewing exposed planning documents, AI-generated documentation, and the malware's rapid evolution from concept to a working framework in about four weeks rather than the planned 30 weeks.
Show sources
- VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal — www.infosecurity-magazine.com — 21.01.2026 14:51
-
13.01.2026 16:31 4 articles · 4mo ago
VoidLink modular Linux malware framework for cloud and container operations
Initial DisclosureIn **December 2025**, analysts found a small cluster of previously unseen Linux samples that pointed to an in-progress modular framework. Early indicators such as **debug symbols** and other development artifacts suggested rapid iteration toward broader real-world use.
Show sources
- New Chinese-Made Malware Framework Targets Linux-Based Cloud Environments — www.infosecurity-magazine.com — 13.01.2026 16:31
- New Chinese-Made Malware Framework Targets Linux-Based Cloud Environments — www.infosecurity-magazine.com — 13.01.2026 16:31
- New Advanced Linux VoidLink Malware Targets Cloud and container Environments — thehackernews.com — 13.01.2026 13:57
- New VoidLink malware framework targets Linux cloud servers — www.bleepingcomputer.com — 14.01.2026 00:12