The VoidLink Rootkit hides deep inside Linux systems by using eBPF and kernel modules.

VoidLink is a Linux malware framework that runs in the cloud and is written in Zig. It has a modular command-and-control structure with more than 30 plugins and several layers of stealth. The rootkit hides itself by using the module name vl_stealth or, in some cases, amd_mem_encrypt.

This makes it look like a real AMD memory driver, which helps it avoid getting caught on cloud servers. Check Point Research found that one developer used AI-assisted workflows in the TRAE integrated development environment to make the whole framework, going from idea to working implant in less than a week. Every source file had comments in Simplified Chinese, and infrastructure references pointed to Alibaba Cloud IP addresses—8.149.128[. ]10 and 116.62.172[.

]147—which clearly linked the operation to a Chinese-speaking threat actor.

Researchers found that the dump showed a multigenerational rootkit framework that had been made and tested on real systems, from CentOS 7 to Ubuntu 22.04. To protect themselves from rootkits like VoidLink, security teams should do a few things. Secure Boot and kernel module signing stop unauthorized LKMs from loading.

Kernel lockdown mode, which has been available since Linux 5.4, limits sensitive kernel operations even for root users. Auditd lets you check the init_ module and finit_ module syscalls to find unexpected module activity early on. If you regularly compare entries in the ps, ss, and direct /proc directories, you may be able to find hidden activity even when individual monitoring tools don't show anything suspicious. Click here to learn more about how ZeroOwl can help you with your Linux security and security practices.

You can learn more about ZeroOwl by going to their website or following them on Twitter or Facebook. Call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/ for private help.