ELASTIC Security Labs’ technical analysis, published on 26 March 2026, examines VoidLink, a Linux rootkit framework first documented by Check Point Research in January 2026 and described here as a hybrid LKM–eBPF system with cloud-native features.
According to Check Point Research, VoidLink is a modular C2 platform with over 30 plugins; Elastic’s data dump corroborates this by detailing four generations of development, from CentOS 7 kernel 3.10 targets to Ubuntu 22.04, and the production “Ultimate Stealth v5” variant.
The analysis highlights a two‑component architecture where the LKM, masquerading as vl_stealth, handles deep kernel manipulation and an ICMP-based covert channel, while an eBPF companion hides network activity for the ss tool by swallowing Netlink messages. The production v5 release introduces delayed initialization, anti‑debugging timers, kill‑protection for selected processes, and ten ICMP commands, including GIVE_ROOT (0x11) that can grant root to a target PID, with runtime key rotation for the ICMP channel.
Elastic also notes indications of AI-assisted development, citing phase‑numbered refactoring patterns and tutorial‑style commentary that align with LLM‑driven workflows, alongside operational indicators such as Alibaba Cloud IPs and compiled kernel modules.