VOIDLINK , described as a “cloud-first” malware framework, was identified by researchers at Check Point Research and discovered in December 2025, with January 14, 2026 marking its latest coverage. The toolkit targets Linux servers and containerized environments such as Kubernetes clusters and Docker, signalling a shift toward cloud-native infrastructure.
It is written largely in Zig and features a web-based dashboard, plus a modular Plugin API that enables on-the-fly functionality expansion, with more than 30 default plugins spanning credential harvesting to anti-forensics tools that wipe logs.
VoidLink is designed to be invisible, employing adaptive stealth to profile environments and evade detection, including scanning for Endpoint Detection and Response agents and, if needed, deploying deep-cover rootkits using techniques like LD_PRELOAD manipulation and advanced eBPF programs. According to the report, the framework appears to be built and maintained by China-affiliated threat actors (exact affiliation remains unclear) and is actively evolving.
It includes modules to harvest credentials from Git repositories and cloud environments such as AWS, GCP, and Azure, suggesting DevOps and software supply chains as primary targets.