February 24, 2026

New VoidLink Cloud-Native Malware Targets Linux Systems

Security researchers have identified a sophisticated new cloud-native malware framework, dubbed VoidLink, that is actively targeting Linux systems.

New VoidLink Cloud-Native Malware Targets Linux Systems With Advanced Stealth and Self-Deletion

Security researchers have identified a sophisticated new cloud-native malware framework, dubbed VoidLink, that is actively targeting Linux systems used in modern cloud environments. The malware, discovered by Check Point researchers in December 2025, introduces a new level of adaptability and stealth aimed squarely at cloud infrastructure and the engineers who manage it.

A Shift Toward Cloud-Aware Malware

VoidLink is written in the Zig programming language, an increasingly popular choice among threat actors due to its performance, low-level control, and limited detection signatures. Researchers say its design signals a notable shift in how attackers are approaching cloud-based targets.

Unlike traditional Linux malware, VoidLink is environment-aware. It can identify major cloud platforms including Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba Cloud, and Tencent Cloud and tailor its behavior to blend into each ecosystem. The framework can also detect whether it is running inside Docker containers or Kubernetes clusters, modifying its tactics accordingly.

Still Under Active Development

Check Point analysts uncovered multiple VoidLink samples containing debug symbols and development artifacts, suggesting the framework is still being actively developed rather than deployed as a finished, mass-scale operation. Linguistic and technical indicators point to a Chinese-speaking development environment, though attribution remains unconfirmed.

Despite its apparent early-stage status, researchers warn that VoidLink already demonstrates capabilities that could enable espionage, supply chain attacks, and long-term cloud persistence.

Modular Architecture With 37+ Plugins

VoidLink uses a highly modular design, featuring more than 37 plugins grouped into categories such as reconnaissance, credential harvesting, lateral movement, and persistence. These plugins are delivered as object files that load dynamically at runtime and execute entirely in memory an approach similar to Cobalt Strike’s Beacon Object Files (BOFs).

This design minimizes disk artifacts and allows attackers to selectively deploy functionality based on the target environment.

One of VoidLink’s most concerning capabilities is its ability to harvest credentials from cloud services and developer platforms, including version control systems like Git, potentially granting attackers access to proprietary codebases, infrastructure secrets, and deployment pipelines.

Adaptive Stealth and Kernel-Level Rootkits

Stealth is central to VoidLink’s operation. Upon execution, the malware scans the host system for security products, kernel hardening features, and Linux endpoint detection and response (EDR) tools. Based on these findings, it calculates a risk score and dynamically adjusts its behavior.

In heavily monitored environments, VoidLink slows its activity and carefully schedules actions to avoid triggering alerts.

The malware also deploys different rootkit techniques depending on the Linux kernel version:

  • Kernels below 4.0: Uses LD_PRELOAD userland rootkits
  • Kernels 4.0 and above: Installs loadable kernel modules (LKMs)
  • Kernels 5.5 and higher: Leverages eBPF-based rootkits

These rootkits can hide processes, files, network connections, and even the rootkit components themselves, effectively blinding administrators and security tools.

Self-Modifying Code and Instant Self-Deletion

VoidLink employs self-modifying code that decrypts protected regions only when needed and re-encrypts them afterward, complicating memory scanning and signature-based detection. It continuously performs runtime integrity checks to identify hooks, patches, or debugging attempts introduced by security software.

If any tampering is detected, VoidLink immediately activates its self-deletion mechanism, erasing itself and its associated artifacts from the system. This not only evades detection but also severely limits forensic investigation and incident response efforts.

A Growing Threat to Cloud Infrastructure

Researchers warn that VoidLink represents a new generation of cloud-native malware built specifically for modern Linux-based infrastructure. While currently limited in scale, its advanced design and modular architecture suggest significant potential for future campaigns.

Security teams are urged to closely monitor cloud workloads, harden kernel configurations, restrict developer credential exposure, and improve visibility into containerized environments as attackers increasingly target the backbone of cloud operations.

Latest News

Cybersecurity

February 24, 2026

Record-Breaking 16 Billion Passwords Exposed in Massive Data Breach

A staggering 16 billion login credentials have been exposed in what experts are calling one of the largest data breaches in history, raising serious concerns about online security for both individuals and organizations.

Read now

February 24, 2026

Illinois Health Department Confirms Years-Long Data Exposure Affecting 700,000 Residents

The Illinois Department of Human Services (IDHS) recently disclosed that it mistakenly made private health-related information about hundreds of thousands of Illinois residents publicly accessible online

Read now

February 24, 2026

Oracle E-Business Hack Continues to Generate Ransom Demands

A rising number of companies using Oracle’s E-Business Suite are facing ransom demands following a cyberattack that may have begun as early as July 2025.

Read now

Fintech

February 24, 2026

Ethereum Emerges as a Long-Term Macro Bet Amid Quantum, AI, and Monetary Shifts

Ethereum is increasingly being framed not just as a blockchain platform, but as a long-duration macro asset that may be uniquely positioned to navigate emerging technological and economic pressures ranging from quantum computing to artificial intelligence.

Read now

February 24, 2026

Vitalik Buterin Reconsiders Blockchain Design Tradeoffs as Zero-Knowledge Proofs

Ethereum co-founder Vitalik Buterin says he no longer agrees with a position he publicly held in 2017, arguing that advances in zero-knowledge cryptography and a deeper appreciation for real-world failure modes have fundamentally changed how blockchains should balance decentralization, usability, and resilience.

Read now

February 24, 2026

Market Volatility Obscures Fundamentals as Crypto Investors Overlook Valuation Signals

A growing divide is emerging in crypto markets between price action and fundamentals, highlighting what some investors see as a broader erosion of valuation discipline across the asset class.

Read now

AI

February 24, 2026

What if AI Is Really Good and Not That Disruptive?

AI discourse has collapsed into two extremes. Either large language models will automate all knowledge work and upend civilization within a decade, or they’re glorified autocomplete and the whole thing is a bubble.

Read now

February 24, 2026

Google Brings “Personal Intelligence” to Search, Making AI Results Uniquely Yours

Google is pushing search further into the personal realm. On Wednesday, the company announced that Personal Intelligence, a feature that tailors AI responses using a user’s own context, is expanding to AI Mode in Google Search.

Read now

February 24, 2026

CopilotKit Shows How to Bring LangChain Deep Agents to Production UIs

CopilotKit has published a detailed guide demonstrating how to connect LangChain’s new Deep Agents framework to a real-time frontend using Next.js.

Read now

Technology

February 24, 2026

Apple AirTag Receives Significant Update After Five Years

Apple has unveiled a new iteration of its AirTag tracking device, dubbed 'the new AirTag,' featuring significant enhancements attributed to an upgraded Bluetooth chip.

Read now

February 24, 2026

AI-Driven Automation Transforms Global Infrastructure

A glass of water sits untouched on a desk for hours, a laptop glows in the dim light, and a software engineer types furiously. This is Ivan, a developer who has taken AI-assisted automation far beyond what most would imagine.

Read now

February 24, 2026

Microsoft Unveils Maia 200 AI Chip, Outpaces Amazon and Competes with Nvidia

Microsoft has introduced its latest in-house AI accelerator, the Azure Maia 200, designed to deliver high-speed inferencing for data center AI workloads.

Read now

Fintech

February 24, 2026

AI Budgets Are Expanding Significantly

Product market fit means being in a good market with a product that can satisfy that market. Marc Andreessen’s advice still holds.

Read now

February 24, 2026

NY Attorney General Cautions on Super Bowl Prediction Markets

With Super Bowl 60 just days away, New York Attorney General Letitia James is urging consumers to be cautious when using prediction markets that offer Super Bowl related trades.

Read now

February 24, 2026

Elon Musk’s xAI dives into crypto and TradFi amid $1tn SpaceX merger

Elon Musk's xAI is expanding into crypto and traditional finance, hiring specialists as it plans a major merger with SpaceX, valued over $1 trillion.

Read now
View More Articles & Security Tips
Personal

All EraseMe plans include a 30-day risk-free refund guarantee.

Not satisfied? Reach out to our 24/7 Support within 30 days of joining, and we’ll refund every cent no questions asked.

Try EraseMe
EraseMe is built and run by Yates Solutions
The Online Privacy Company.
Secure Identity
Secure Business
How We WorkBusinessAbout UsBlogSupport
LoginJoin Now
Privacy PolicyTerms of Service
© 2026 EraseMe. All Right reserved. 800 Creek View Rd. Newark, DE 19711