Experts warn this new Chinese Linux malware could be preparing something seriously worrying

News
By published

VoidLink is well under development and raising eyebrows among experts

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)
  • Check Point Research discovers an advanced Linux malware framework with 30+ plugins
  • VoidLink targets cloud environments, harvesting credentials and adapting to AWS, Azure, GCP, and more
  • No active abuse yet; suspected Chinese state-linked development for espionage and persistent access

Check Point Research (CPR) has uncovered a previously unknown and unusually advanced Linux malware framework called VoidLink.

In an in-depth report, CPR says VoidLink is cause for concern since it is a full command-and-control (C2) platform with loaders, implants, rootkits, and more than 30 modular plugins.

All these features are designed to give attackers stealthy, persistent, and long-term control over compromised systems, and were being developed as recently as late 2025.

Hackers gearing up for something?

VoidLink is a cloud-first solution, CPR explained. After deployment, the malware fingerprints its environment to determine if it’s running on AWS, Azure, GCP, Alibaba, or Tencent Cloud, and whether it is inside Docker containers or Kubernetes pods.

It then adapts its behavior, harvests cloud metadata, API credentials, Git credentials, tokens, and secrets. All things considered, it would seem that DevOps engineers and cloud admins are the most likely targets.

VoidLink is also extremely stealthy. It profiles the host system, detects security tools, and calculates a risk score which then determines how aggressively, or quietly, it is allowed to operate. On some systems, it will scan ports and network communications. On others, it won’t - all depending on how well-guarded the target system is.

So far, there is no evidence that the framework is being abused in the wild, CPR says. This could mean two things - the developers are either currently building out the solution, with plans to offer it for sale (or rent) in the future, or they’re developing it for a single, well-paying client.

In any case, the developers are Chinese, and likely state-affiliated, at that. If that really is the case, then the framework is likely being developed for cyber-espionage, data theft, and persistent access in mind.

"The sheer number of features and its modular architecture show that the authors intended to create a sophisticated, modern and feature-rich framework," Check Point researchers concluded.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.