A sophisticated, cloud-first malware framework created by actors connected to China that aims to create persistent access to cloud and container environments may soon pose a new threat to Linux systems This article explores cloud malware framework. . According to a blog post on Tuesday, Check Point Research found the framework, known as VoidLink, which consists of cloud-focused features and modules like custom loaders, implants, rootkits, and modular plug-ins.

Check Point researchers described it as a "impressive piece of software," stating that the framework is far more sophisticated than any malware currently targeting Linux. In December, researchers discovered the framework after discovering a small group of previously undiscovered Linux malware samples that seemed to come from a development environment connected to China.

According to Check Point, the samples contained artifacts such as debug symbols that showed they were not widely used malware but rather in-progress builds. Related: Office 365 Users Who Let Their Guard Down Are Targeted by Phishers The framework has a "unusually broad" feature set, such as the ability to modify runtime evasion according to the security products it detects, an in-memory plug-in system for expanding functionality, and rootkit-like capabilities. The framework identifies the cloud provider that an infected machine is using.

According to Check Point, VoidLink can currently identify Amazon Web Services, Google Cloud Platform, Windows Azure, Alibaba, and Tencent. It also has plans to identify Huawei, DigitalOcean, and Vultr. Additionally, it can identify whether it is operating within Docker or Kubernetes and adjust its behavior accordingly.

The researchers discovered that VoidLink also collects login credentials for cloud environments and common source code version control systems like Git.