A new Linux malware framework linked to Chinese-affiliated actors has been discovered by security researchers at Check Point Research.
This highly modular framework, named VoidLink by its developers, includes over 30 plugins, cloud and container persistence capabilities and robust operational security (OPSEC) features.
While no evidence of real-world infections linked to VoidLink have been observed and it is not clear if the framework is intended to be sold as a legitimate penetration testing tool or a cybercriminal toolkit, its documentation suggests it is intended for commercial purposes.
It appears to be built and maintained by Chinese-speaking developers and is actively evolving, Check Point researchers noted in a report published on January 13.
The VoidLink developers demonstrate a high level of technical expertise, with strong proficiency across multiple programming languages. With VoidLink, they offer a sophisticated, feature rich tool to move through cloud environments and container ecosystems with adaptive stealth.
VoidLink’s Architecture Overview
The Check Point Research team discovered VoidLink in December 2025, after it identified a small cluster of previously unseen Linux malware samples that seemed to originate from a Chinese-speaking development environment.
“Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use,” they wrote.
VoidLink is an advanced malware command-and-control (C2) framework written in Zig and made up of a custom loaders, implants, rootkits and over 30 modular plugins designed to maintain long-term access to modern Linux-based cloud and container environments.
The framework’s architecture is built around a web-based centralized panel that grants the operator complete control over the running agents, implants and plugins.
Key to VoidLink is its custom Plugin API, which allows the operator to perform a wide range of tasks into the victim’s cloud environments, including reconnaissance, intrusion, anti-forensic evasion, lateral movement, privilege escalation and persistence.
This custom Plugin API appears to be inspired by Cobalt Strike’s Beacon Object Files (BOF) approach, a popular red teaming tool used by both legitimate offensive security professionals and cybercriminals.
The Check Point researchers found 37 plugins available on VoidLink’s Dashboard.
VoidLink’s Detection Capabilities Span AWS, Google Cloud and Azure
Once a machine is infected, VoidLink surveys the compromised system and can detect which cloud provider the infected machine is running under.
According to Check Point Research, VoidLink can currently detect a wide range of cloud infrastructure types, including Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba and Tencent.
The researchers also observed plans in VoidLink’s documentation to extend these detection capabilities to for Huawei, DigitalOcean and Vultr.
As well as cloud detection, it collects vast amounts of information about the infected machine, enumerating its hypervisor and detecting whether it is running in Docker container or a Kubernetes pod.
Additionally, VoidLink activates several post-exploitation modules, from automated container escapes over secret extraction to dedicated lateral movement commands.
“Together, these plugins sit atop an already sophisticated core implementation, enriching VoidLink’s capabilities beyond cloud environments to developer and administrator workstations that interface directly with those cloud environments, turning any compromised machine into a flexible launchpad for deeper access or supply-chain compromise,” the Check Point researchers wrote.
While most malware development has been focusing on Windows environments, the creation of a such an advanced framework dedicated to Linux-based cloud environments “shows that these platforms are a valid target for threat actors,” warned the researchers.
“Defenders should proactively secure their Linux, cloud and container environments and be prepared to defend against advanced threats such as VoidLink,” they added.