Checkpoint warns of modular Linux malware framework that targets cloud hosts

Researchers from Checkpoint have discovered a never-before-seen framework, referred to in its source code as VoidLink, that infects Linux machines with a wide assortment of modules. VoidLink features more than 30 modules that can be mixed and matched to provide stealth and tools for reconnaissance, privilege escalation, and lateral movement.

Components can be easily added or removed as objectives change. The framework can detect if a host runs inside popular cloud services—AWS, GCP, Azure, Alibaba, and Tencent—by examining metadata via each vendor’s API, and there are indications developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases.

Similar modular frameworks have long targeted Windows servers but are less common on Linux; the feature set is unusually broad and is "far more advanced than typical Linux malware," the researchers said.

Key Topics

Tech, Voidlink, Linux, Aws, Gcp, Azure