Introduction
During a recent investigation, we came across a data dump containing source code, compiled binaries, and deployment scripts for the kernel rootkit components of VoidLink, a cloud-native Linux malware framework first documented by Check Point Research in January 2026. Check Point's analysis revealed VoidLink to be a sophisticated, modular command-and-control framework written in Zig, f...
An analysis of VoidLink's source code reveals an advanced rootkit capable of comprehensive stealth across various kernel versions. The hybrid LKM-eBPF architecture and the use of an AI assistant during development indicate that such tools are becoming increasingly accessible to a broader range of threat actors.
The eBPF Netlink buffer manipulation technique is creative and rarely documented, posing a challenge for defenders seeking to detect this type of rootkit activity. The delayed initializat...