VoidLink, the recently discovered Linux malware which targets Linux-based cloud servers, was likely almost entirely generated by AI, researchers have said.
First detailed by cybersecurity analysts at Check Point last week, the new malware is made up of over 30 modular plugins and is designed to maintain long-term access to Linux systems.
It was initially believed that the sophistication and modular nature of VoidLink and the way it was developed at rapid pace pointed to the malware being the work of a well-resourced, experienced cybercriminal operation.
However, following further analysis, Check Point Research has concluded that VoidLink was largely built by AI, likely under the direction of one person. AI and AI agents were not just used to write code, but to plan, structure and execute the entire project.
“VoidLink demonstrates that the long-awaited era of sophisticated AI-generated malware has likely begun,” said the Check Point blog post.
“In the hands of individual experienced threat actors or malware developers, AI can build sophisticated, stealthy and stable malware frameworks that resemble those created by sophisticated and experienced threat groups.”
What was significant in alerting researchers to AI involvement in building VoidLink was a development plan which accompanied the project – and accidentally left exposed by the developer.
This included planning documents about sprints, design ideas and timelines which represented 30 weeks of development.
However, researchers have noted that observation of the evolution of VoidLink suggests that it was pushed out over a much shorter period, just four weeks, with clear signs that the development plan was generated and orchestrated by an AI model.
“Because AI-produced documentation is typically thorough, many of these artifacts were timestamped and unusually revealing. They show how, in less than a week, a single individual likely drove VoidLink from concept to a working, evolving reality,” Check Point said.
It was also observed that the developer’s initial prompts to the AI agent weren’t based around building VoidLink directly but rather based around producing what would become the malware around an initial skeleton design. The researchers have suggested that this could have been the developer testing the guardrails of the AI tools.
The developer also utilized regular checkpoints to check in on the AI-generated code to ensure that the model was developing it as instructed and that the code worked.
The result was a malware which the researchers who first detailed VoidLink described as “sophisticated, modern and feature rich.”
Now it has been discovered that the malware was created with heavy involvement of AI, researchers suggest it marks a watershed moment for malware development and defending against cyber threats.
“The security community has long anticipated that AI would be a force multiplier for malicious actors. Until now, however, the clearest evidence of AI-driven activity has largely surfaced in lower-sophistication operations, often tied to less experienced threat actors, and has not meaningfully raised the risk beyond regular attacks,” said Check Point.
“VoidLink shifts that baseline: its level of sophistication shows that when AI is in the hands of capable developers, it can materially amplify both the speed and the scale at which serious offensive capability can be produced,” the blog post concluded.