- Check Point Research Discovers Advanced Linux Malware Framework With 30+ Plugins
- VoidLink targets cloud environments, fetches credentials, and scales to AWS, Azure, GCP, and more.
- No active abuse yet; alleged development linked to the Chinese state for the purpose of espionage and persistent access
Check Point Research (CPR) has discovered a previously unknown and unusually advanced Linux malware framework called VoidLink.
In a detailed report, CPR claims that VoidLink is of concern because it is a comprehensive command and control (C2) platform with loaders, implants, rootkits and more than 30 modular plugins.
All of these features are designed to give attackers stealthy, persistent, and long-term control over compromised systems, and were developed as recently as late 2025.
Are the hackers preparing for something?
VoidLink is a cloud-first solution, CPR explained. After deployment, the malware fingerprints its environment to determine whether it is running on AWS, Azure, GCP, Alibaba, or Tencent Cloud, and whether it is in Docker containers or Kubernetes pods.
It then adapts its behavior, collecting cloud metadata, API credentials, Git credentials, tokens and secrets. All things considered, it would seem that DevOps engineers and cloud administrators are the most likely targets.
VoidLink is also extremely stealthy. It profiles the host system, detects security tools and calculates a risk score which then determines how aggressively or quietly it is allowed to operate. On some systems it will scan ports and network communications. On others, this won’t be the case – it all depends on how well the target system is protected.
So far, there is no evidence that the framework is being misused, says the CPR. This could mean one of two things: either the developers are developing the solution, with the intention of offering it for sale (or rental) in the future, or they are developing it for a single, high-paying client.
Regardless, the developers are Chinese, and probably state-affiliated. If this is truly the case, then the framework is likely developed with cyberespionage, data theft, and persistent access in mind.
“The large number of features and its modular architecture show that the authors intended to create a sophisticated, modern, and feature-rich framework,” the Check Point researchers concluded.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
