#voidlink

Two days ago, Check Point Research published an article regarding what they’re calling the first evidence of a completely AI-driven malware framework, VoidLink. They first encountered this new framework in December, affecting Linux, and at the time considered the cluster of samples to be unfinished in terms of a fully functional tool. But it was evolving. Fast. Too fast for human oversight considering the level of sophistication and complexity.

The framework includes cloud implantation and harvesting credentials via Git repositories. It contains features like in-memory plugins, adaptive stealth capabilities tailored enough to preserve operational security over performance and multiple command-and-control channels. Earlier this month, CPR wrote about these details, concluding that it was likely inspired by Cobalt Strike’s Beacon Object Files approach. (For more information on that, see my report on Cobalt Strike here.) VoidLink is primarily written in Zig, but also has capability in Go, C and React. At the time of this earlier article, the malware was considered to be still in proof-of-concept mode, with no real intention of use being clear other than some kind of commercial venture.

Fast forward just a week, and we have our answer. VoidLink is a self-evolving, powerful malware suite, capable of building an entire attack campaign with little oversight. It is, however, not perfect. CPR has been monitoring the architecture traced back to a single human actor and found operational security (OPSEC) failures that allowed them to document how this malware is coded and how it evolves in real time. It is there that CPR concluded that this model was AI-generated, considering that what looked like a development period that should have taken many months was happening in a matter of hours or days.

Much of my research results in finding patterns. The ebb and flow of infosec is discernible if you spend enough time in it. And today, I’m having a moment of deeply conflicted vindication. I saw this coming, and have even reported on it several times, going back to September and October of 2025; PromptLock, prompt injection in general, and this report on generative AI that brings up novel malware forms. But it is not something I wanted to be right about. AI-generated code has evolved to be autonomous and continuous. CPR’s report highlights some of the structures that give away the AI nature of VoidLink, namely the thoroughness, speed, and adaptability in a modular framework.

The danger here isn’t actually the new and innovative ways AI can be manipulated by threat actors. That was always a foregone conclusion, since everything that exists is subject to exploitation (I mean, Cobalt Strike is a great example of that). It’s the sheer volume of it that is going to overwhelm attempts to mitigate it when fully functional frameworks can be built from the ground up in less than a week. And keeping up with it will be challenging for human SOC teams that require things like food and sleep. Reports like CPR’s will go a long way to understanding the infrastructure of AI malware, but that alone is not enough. We are currently living with what I consider an anti-vaxxer mentality towards cybersecurity. Too many companies either don’t understand why they need protection or don’t want to pay for it, or be compliant with it if they do. I predicted this trend months ago. Now it remains to be seen what we, as an industry, are going to do about it.

☆ — Voidlink 🌌🔗

Definition:

Voidlink is when you create a linktype due to feeling nonhuman, but don’t know what kind of nonhuman you are. It’s a linktype created to fill the a blank space where an identity should be.

~ This term was originally NOT coined by me but by GloomOSC on the Alterhuman Fandom Wiki (LINK) (if there's a more "official" source please inform me)

~ Flag & symbol design by me; Free to use by anyone (Credit is not needed but is appreciated)

Tags for archive:

@radiomogai @kin-flags

VoidLink, a Linux rootkit, combines Loadable Kernel Modules and eBPF programs to stealthily hide processes and network connections, with AI-assisted development observed in its iterative coding and deployment.

Source: Elastic Security Labs

I will be creating French content on Tumblr, in addition to my English content.

On Tumblr, the content is mostly English, but some members of our communities don't speak much English or use Google Translate, which is not as comfortable as directly understanding the text in front of you.

So I would offer content in French, and I invite non-English speakers to do the same!

We shouldn't forget the English communities, of course! But it would be more comfortable for many of us to be able to interact without being afraid of using the wrong words 😅...

Bye! And drink water it's important!

𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼𓍊𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼𓍊𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼𓍊𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼

Je vais créer du contenu français sur Tumblr, en plus de mon contenu anglais.

Sur Tumblr, le contenu est principalement en anglais, mais certains membres de nos communautés ne parlent pas beaucoup anglais ou utilisent Google Traduction, ce qui n'est pas aussi confortable que de comprendre directement le texte en face de soi...

Je proposerais donc du contenu en français, et j'invite les non-anglophones à faire de même!

Il ne faut pas oublier les communautés anglophones, bien sûr ! Mais il serait plus confortable pour beaucoup d'entre nous de pouvoir interagir sans avoir peur d'utiliser les mauvais mots 😅...