Researchers have uncovered a previously unknown Linux framework that can infect systems. It uses an extensive modular design with unusually advanced attack capabilities.
Check Point Research discovered the framework. The developers call it VoidLink. Observers describe it as significantly more advanced than most existing Linux malware. The discovery points to a broader shift in which professional threat actors increasingly view Linux as a primary target rather than a niche platform.
VoidLink was found in late 2025 in multiple Linux binaries available via VirusTotal. Notably, there are no indications that the framework has already been actively used in attacks in the wild. The samples found contain development artifacts such as debug symbols. This indicates that it is a framework in active development. Despite the lack of actual infections, the whole thing looks mature and well-thought-out. This suggests that attackers are preparing VoidLink for future operational use.
Focus on cloud infrastructures
The framework is written in Zig and designed with modern cloud infrastructures in mind. Once VoidLink is active, it automatically analyzes whether it is running in public cloud environments such as AWS, Azure, or Google Cloud, and whether it is running in a Docker container or a Kubernetes pod. By using cloud metadata via the APIs of relevant providers, VoidLink can precisely tailor its malware behavior to the environment in which it runs. This makes VoidLink particularly suitable for environments with dynamic workloads where traditional detection methods are less effective.
VoidLink’s architecture consists of a compact core that can be expanded with plugins during runtime. This modular design allows adding or removing functionality based on the purpose of an attack. The modules found cover a wide range of post-exploitation activities, including extensive system exploration, credential collection, lateral movement within networks, and long-term persistence. In doing so, VoidLink focuses not only on servers, but also on workstations of developers and administrators who have access to cloud environments and source code.
VoidLink is virtually invisible
A central design principle is stealth. VoidLink actively detects security measures such as Linux EDR solutions and kernel hardening and adapts its behavior accordingly. In environments with strict monitoring, the framework automatically reduces its visibility, for example, by slowing down communication or spreading activities over a longer period of time.
It uses a variety of techniques to hide processes, files, and network connections, ranging from user-mode methods to kernel modules and eBPF programs.
Network communication is also designed to be as inconspicuous as possible. Command-and-control traffic can be disguised as legitimate web or API traffic and runs via multiple protocols. In this respect, VoidLink aligns with tactics that have long been common in advanced Windows frameworks but have rarely been observed on Linux until now.
Although VoidLink is currently mainly a research subject, it serves as a clear warning signal. It shows that Linux, cloud platforms, and container environments are becoming increasingly attractive for professionally developed attack tools and that organizations need to adapt their security approach accordingly.