Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/VoidLink Rootkit Hides Deep in Linux With eBPF and Kernel Modules
Threats

VoidLink Rootkit Hides Deep in Linux With eBPF and Kernel Modules

Key Takeaways VoidLink is a sophisticated new Linux rootkit leveraging both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs for deep stealth. The malware is a...

Marcus Rodriguez
Marcus Rodriguez
March 26, 2026 4 Min Read
57 0

Key Takeaways

  • VoidLink is a sophisticated new Linux rootkit leveraging both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs for deep stealth.
  • The malware is a modular, cloud-native framework written in Zig, developed rapidly by a single, AI-assisted developer.
  • VoidLink effectively hides processes, network connections, and files, communicating via a covert ICMP channel.
  • It targets various Linux distributions, including CentOS 7 and Ubuntu 22.04, and is linked to a Chinese-speaking threat actor.
  • No specific CVE is associated with VoidLink as it exploits system design rather than a single vulnerability.

VoidLink: A New Linux Rootkit Employs Dual-Layer Stealth with eBPF and Kernel Modules

A highly advanced and novel rootkit, dubbed VoidLink, poses a significant threat to Linux environments by employing a sophisticated dual-layer approach involving both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs. This combination allows the malware to achieve unprecedented stealth deep within the operating system’s kernel, as extensively documented by Check Point Research in January 2026.

Table Of Content

  • Key Takeaways
  • VoidLink: A New Linux Rootkit Employs Dual-Layer Stealth with eBPF and Kernel Modules
  • Deep Dive into VoidLink’s Architecture
  • A Two-Layer Hiding System
  • What You Should Do

VoidLink is characterized as a cloud-native Linux malware framework, engineered in the Zig programming language. Its design incorporates a modular command-and-control (C2) infrastructure, boasting over 30 distinct plugins and multiple layers of obfuscation, positioning it among the most capable Linux rootkits observed in recent years.

One particularly alarming aspect highlighted by Check Point Research is the rapid development timeline of VoidLink. Researchers discovered that a single developer, utilizing AI-assisted workflows within the TRAE integrated development environment, brought the entire framework from conception to a fully operational implant in less than a week.

To evade detection on cloud servers, the rootkit masquerades under the module name vl_stealth. Some variants adopt the name amd_mem_encrypt, impersonating a legitimate AMD memory driver to blend in with system processes.

Deep Dive into VoidLink’s Architecture

Analysts at Elastic Security Labs uncovered the malware’s intricate architecture after obtaining a data dump containing VoidLink’s source code, compiled binaries, and deployment scripts. This trove of information allowed researchers to dissect the rootkit’s operational mechanisms.

The data dump revealed a multi-generational rootkit framework, indicating a continuous development cycle and extensive testing across various real-world Linux systems, from CentOS 7 to Ubuntu 22.04. Every source file within the dump was annotated in Simplified Chinese, and infrastructure references pointed to Alibaba Cloud IP addresses—8.149.128[.]10 and 116.62.172[.]147—strongly suggesting a connection to a Chinese-speaking threat actor.

The operational impact of VoidLink is substantial. It can effectively conceal running processes, active network connections, and files from system administrators. Furthermore, it maintains a covert command channel via ICMP, operating without visible ports or traffic, making its presence exceedingly difficult to detect and analyze. The most recent iteration, dubbed Ultimate Stealth v5, incorporates advanced evasion techniques such as delayed hook installation, anti-debugging timers, process kill protection, and XOR-obfuscated module names, rendering forensic investigations exceptionally challenging.

VoidLink is not merely a standalone tool; its boot loader script, load_lkm.sh, actively scans for and hides fileless implants running from anonymous memory file descriptors upon activation. This behavior confirms that VoidLink is designed to protect a companion implant—likely a reverse shell—that is already active on the compromised system.

A Two-Layer Hiding System

The most technically innovative aspect of VoidLink is its hybrid architecture, which strategically divides stealth operations between two distinct components. While most Linux rootkits typically rely on a single concealment method—be it an LKM, an eBPF program, or an injected shared library—VoidLink simultaneously deploys both, with each component specializing in the tasks it performs most effectively.

The LKM component leverages the Linux kernel’s function tracing framework to hook critical system calls. It intercepts getdents64 directory listings to obscure files and processes, and it filters the output of /proc/modules and /proc/kallsyms to erase its own traces. Additionally, it establishes a covert command channel through Netfilter hooks, processing XOR-encrypted operator instructions hidden within ordinary ping packets without generating any visible replies.

The eBPF component addresses a critical blind spot that the LKM cannot cover: hiding active connections from the ss command. Unlike netstat, which retrieves information from /proc/net/tcp, the ss utility queries the kernel via Netlink sockets—a data path that bypasses the LKM’s control. VoidLink’s eBPF program hooks __sys_recvmsg and meticulously modifies Netlink responses directly in userspace memory. Instead of simply deleting hidden entries, which would corrupt the message chain, it “swallows” them by extending the length field of the preceding message. This manipulation causes the ss parser to skip the hidden connection, interpreting it as padding.

This sophisticated eBPF technique required significant development effort. Researchers observed at least 10 versions of the eBPF program, from hide_ss_v1.bpf.c through hide_ss_v9.bpf.c, demonstrating extensive iteration and real-world testing on live systems before this stable and effective method was achieved.

What You Should Do

  • Enable Secure Boot and Kernel Module Signing: Implement Secure Boot and enforce kernel module signing to prevent unauthorized Loadable Kernel Modules (LKMs) from loading onto your systems.
  • Activate Kernel Lockdown Mode: For Linux systems running kernel 5.4 or newer, enable kernel lockdown mode to restrict sensitive kernel operations, even for root users.
  • Audit Module Activity: Configure Auditd to monitor init_module and finit_module syscalls. This will help detect unexpected or unauthorized module loading activity early.
  • Restrict eBPF Usage: Mitigate eBPF abuse risks by restricting the bpf() syscall through seccomp profiles and enabling kernel.unprivileged_bpf_disabled.
  • Cross-Reference System Utilities: Regularly cross-reference output from various tools like ps and ss with direct inspections of /proc directory entries. This method can help uncover hidden activity that individual monitoring tools might miss due to rootkit manipulation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Warns of Critical Langflow Code Injection Vulnerability, CVE-2024-28262

Next Post

ClickFix Exploits Windows Run, macOS Terminal for Malware Delivery

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us