VoidLink modular Linux malware framework for cloud and container operations
Malware Activity
Summary
Hide ▲
Show ▼
Researchers uncovered VoidLink, a new Linux malware framework that expands C2, persistence, and post-exploitation options against cloud and container environments. The modular platform includes over 30 plugins, a web-based operator panel, and a custom Plugin API for reconnaissance, lateral movement, privilege escalation, and anti-forensic evasion. Investigators have seen no real-world infections, but the framework is actively evolving and appears to be built by Chinese-speaking developers. Its design suggests a flexible launchpad for deeper access to compromised Linux systems and cloud estates.
Related Happenings
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
H score28
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
H score28
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/Service
H score58
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/ServiceAbout this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Latest development: 03.06.2026 14:00
President Donald Trump signed a June 2 executive order that sets up a voluntary framework for developers of covered frontier models to give the US government access for cybersecurity review for up to 30 days before release, while expressly rejecting any mandatory licensing or preclearance requirement. The order directs NSA, CISA, and NIST to build a classified benchmark for determining which models cross the covered threshold and creates an AI cybersecurity clearinghouse led by the Treasury Department. The framework closely echoes Anthropic's Project Glasswing, which gives vetted partners early access to Claude Mythos Preview to scan critical software for vulnerabilities.
Cloud environments third-party flaw exploitation wave
Exploitation Wave
H score37
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Timeline
-
21.01.2026 14:51 1 articles · 5mo ago
Check Point says VoidLink was largely built by AI
Technical Analysis UpdateCheck Point Research concluded that the VoidLink Linux malware targeting Linux-based cloud servers was largely built by AI, likely under the direction of one person, after reviewing exposed planning documents, AI-generated documentation, and the malware's rapid evolution from concept to a working framework in about four weeks rather than the planned 30 weeks.
Show sources
- VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal — www.infosecurity-magazine.com — 21.01.2026 14:51
-
13.01.2026 16:31 4 articles · 5mo ago
VoidLink modular Linux malware framework for cloud and container operations
Initial DisclosureIn **December 2025**, analysts found a small cluster of previously unseen Linux samples that pointed to an in-progress modular framework. Early indicators such as **debug symbols** and other development artifacts suggested rapid iteration toward broader real-world use.
Show sources
- New Chinese-Made Malware Framework Targets Linux-Based Cloud Environments — www.infosecurity-magazine.com — 13.01.2026 16:31
- New Chinese-Made Malware Framework Targets Linux-Based Cloud Environments — www.infosecurity-magazine.com — 13.01.2026 16:31
- New Advanced Linux VoidLink Malware Targets Cloud and container Environments — thehackernews.com — 13.01.2026 13:57
- New VoidLink malware framework targets Linux cloud servers — www.bleepingcomputer.com — 14.01.2026 00:12