VoidLink AI-generated malware development analysis
Technical Analysis
Summary
Hide ▲
Show ▼
VoidLink is a Linux-based C2 framework with multi-cloud targeting and modular implants built for credential theft, data exfiltration and stealthy persistence. New analysis from Ontinue adds that the agent includes LLM-assisted development artefacts such as “Phase X:” labels, verbose debug logs and embedded documentation, while still operating as an implant with live infrastructure. The malware fingerprints AWS, Google Cloud Platform, Microsoft Azure, Alibaba Cloud and Tencent Cloud, and uses AES-256-GCM over HTTPS for C2 traffic.
Related Happenings
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Gemini Enterprise Agent Platform launch adds agent identity, policy enforcement, and anomaly detection controls
Security Tool/Service
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
Google Cloud expanded **Gemini Enterprise Agent Platform** with new security controls for **AI agents**, giving organizations more visibility and policy enforcement for autonomous...
Gemini Enterprise Agent Platform launch adds agent identity, policy enforcement, and anomaly detection controls
Security Tool/ServiceAbout this happening: Google Cloud expanded **Gemini Enterprise Agent Platform** with new security controls for **AI agents**, giving organizations more visibility and policy enforcement for autonomous...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical Analysis
First: 16.03.2026 15:00
Last: 16.03.2026 15:00
Sources 1
About this happening:
Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical AnalysisAbout this happening: Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
Timeline
-
21.01.2026 14:51 3 articles · 4mo ago
VoidLink AI-built analysis by Check Point Research
Technical Analysis UpdateCheck Point Research concluded that VoidLink, a Linux malware targeting Linux-based cloud servers, was largely built by AI under one person’s direction, with over 30 modular plugins and exposed planning documents indicating a planned 30-week effort that appeared to have progressed from concept to a working malware framework in about four weeks.
Show sources
- VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal — www.infosecurity-magazine.com — 21.01.2026 14:51
- VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal — www.infosecurity-magazine.com — 21.01.2026 14:51
- VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code — www.infosecurity-magazine.com — 09.02.2026 17:25