Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink employs advanced techniques like delayed initialization, runtime key rotation, and a hybrid LKM-eBPF architecture for comprehensive stealth. Notable features include an ICMP-based covert channel, process protection, and memfd-aware boot loading. Evidence suggests AI-assisted development, lowering the barrier for kernel-level rootkit creation. Detection strategies and defensive recommendations are provided to counter this emerging threat.

Pulse ID: 69c51fb010f23603d7d217ea
Pulse Link: https://otx.alienvault.com/pulse/69c51fb010f23603d7d217ea
Pulse Author: AlienVault
Created: 2026-03-26 11:59:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #ElasticSecurityLabs #InfoSec #Linux #Malware #OTX #OpenThreatExchange #RAT #Rootkit #bot #AlienVault