VoidLink Linux C2 malware activity
Malware Activity
Summary
Hide ▲
Show ▼
VoidLink is an operational Linux C2 framework used by UAT-9921 as a post-compromise tool against technology and financial services targets. Cisco Talos says the framework supports scanning, SOCKS proxy-based reconnaissance, and lateral movement, and that related victims date back to September 2025. The activity expands the earlier picture of cloud and enterprise intrusion tooling by tying VoidLink to a live threat actor and observed campaign use.
Related Happenings
GRIDTIDE backdoor using Google Sheets API
Malware Activity
First: 25.02.2026 19:00
Last: 25.02.2026 19:00
Sources 1
About this happening:
The **GRIDTIDE** backdoor is using the **Google Sheets API** for covert **command-and-control**, giving infected systems a hidden channel for execution, file transfer, and reconna...
GRIDTIDE backdoor using Google Sheets API
Malware ActivityAbout this happening: The **GRIDTIDE** backdoor is using the **Google Sheets API** for covert **command-and-control**, giving infected systems a hidden channel for execution, file transfer, and reconna...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
First: 17.02.2026 22:15
Last: 17.02.2026 22:15
Sources 1
About this happening:
The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
CampaignAbout this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
Latest development: 19.02.2026 17:30
CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical Analysis
First: 17.02.2026 20:08
Last: 17.02.2026 20:08
Sources 1
About this happening:
Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical AnalysisAbout this happening: Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
World Leaks RustyRocket malware activity
Malware Activity
First: 12.02.2026 15:30
Last: 12.02.2026 15:30
Sources 1
About this happening:
The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
World Leaks RustyRocket malware activity
Malware ActivityAbout this happening: The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
Campaign
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
CampaignAbout this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
Timeline
-
09.02.2026 17:25 3 articles · 3mo ago
VoidLink Linux C2 framework analysis
Initial DisclosureVoidLink is analyzed as a Linux-based command-and-control framework with multi-cloud targeting across AWS, Google Cloud Platform, Microsoft Azure, Alibaba Cloud and Tencent Cloud, using a modular plugin-based implant to harvest credentials, fingerprint cloud and container environments, escalate privileges in Kubernetes, and maintain stealthy persistence while sending AES-256-GCM encrypted HTTPS C2 traffic. The implant also shows development artefacts such as structured "Phase X:" labels, verbose debug logs, duplicated phase numbering, and formal status messages, and is described as an operational implant with live infrastructure rather than a proof-of-concept.
Show sources
- VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code — www.infosecurity-magazine.com — 09.02.2026 17:25
- VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code — www.infosecurity-magazine.com — 09.02.2026 17:25
- UAT-9921 Deploys VoidLink Malware to Target Technology and Financial Sectors — thehackernews.com — 13.02.2026 17:23