VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical Analysis
Summary
Hide ▲
Show ▼
VoidLink is a Linux C2 framework built for cloud and container environments, with multi-cloud targeting across AWS, Google Cloud Platform, Microsoft Azure, Alibaba Cloud and Tencent Cloud. The latest analysis shows the implant also supports credential theft, data exfiltration and stealthy persistence, while using AES-256-GCM over HTTPS to blend C2 traffic into normal web activity. Researchers further observed LLM-assisted coding artifacts in the binary, but described the sample as an operational implant with live infrastructure rather than a proof of concept.
Related Happenings
AWS Continuum launches AI-powered vulnerability management lifecycle platform
Security Tool/Service
H score14
First: 19.06.2026 14:00
Last: 19.06.2026 14:00
Sources 1
About this happening:
**AWS Continuum** launched in **gated preview** as a new **AI-powered vulnerability management platform** for AWS environments, expanding security teams’ ability to manage code fl...
AWS Continuum launches AI-powered vulnerability management lifecycle platform
Security Tool/ServiceAbout this happening: **AWS Continuum** launched in **gated preview** as a new **AI-powered vulnerability management platform** for AWS environments, expanding security teams’ ability to manage code fl...
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
H score28
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Checkmarx/kics Docker Hub repository hit by network compromise
Incident
H score36
First: 22.04.2026 20:55
Last: 22.04.2026 20:55
Sources 1
About this happening:
**Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...
Checkmarx/kics Docker Hub repository hit by network compromise
IncidentAbout this happening: **Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...
Timeline
-
14.01.2026 00:12 3 articles · 5mo ago
Check Point details VoidLink cloud-native Linux framework
Technical Analysis UpdateCheck Point identified VoidLink as a newly discovered cloud-native Linux malware framework built for cloud and container environments. The framework uses custom loaders, implants, rootkits, and 35 plugins; fingerprints Docker and Kubernetes; queries instance metadata for AWS, GCP, Azure, Alibaba, and Tencent; and can tune behavior after assessing installed security controls and host hardening. Analysts also said no active infections have been confirmed and assessed the codebase as likely a product offering or customer-built framework.
Show sources
- New VoidLink malware framework targets Linux cloud servers — www.bleepingcomputer.com — 14.01.2026 00:12
- New VoidLink malware framework targets Linux cloud servers — www.bleepingcomputer.com — 14.01.2026 00:12
- VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code — www.infosecurity-magazine.com — 09.02.2026 17:25