VoidLink Rootkit Hides Deep in Linux With eBPF and Kernel Modules
Key Takeaways VoidLink is a sophisticated new Linux rootkit leveraging both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs for deep stealth. The malware is a...
Key Takeaways
- VoidLink is a sophisticated new Linux rootkit leveraging both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs for deep stealth.
- The malware is a modular, cloud-native framework written in Zig, developed rapidly by a single, AI-assisted developer.
- VoidLink effectively hides processes, network connections, and files, communicating via a covert ICMP channel.
- It targets various Linux distributions, including CentOS 7 and Ubuntu 22.04, and is linked to a Chinese-speaking threat actor.
- No specific CVE is associated with VoidLink as it exploits system design rather than a single vulnerability.
VoidLink: A New Linux Rootkit Employs Dual-Layer Stealth with eBPF and Kernel Modules
A highly advanced and novel rootkit, dubbed VoidLink, poses a significant threat to Linux environments by employing a sophisticated dual-layer approach involving both Loadable Kernel Modules (LKMs) and extended Berkeley Packet Filter (eBPF) programs. This combination allows the malware to achieve unprecedented stealth deep within the operating system’s kernel, as extensively documented by Check Point Research in January 2026.
Table Of Content
VoidLink is characterized as a cloud-native Linux malware framework, engineered in the Zig programming language. Its design incorporates a modular command-and-control (C2) infrastructure, boasting over 30 distinct plugins and multiple layers of obfuscation, positioning it among the most capable Linux rootkits observed in recent years.
One particularly alarming aspect highlighted by Check Point Research is the rapid development timeline of VoidLink. Researchers discovered that a single developer, utilizing AI-assisted workflows within the TRAE integrated development environment, brought the entire framework from conception to a fully operational implant in less than a week.
To evade detection on cloud servers, the rootkit masquerades under the module name vl_stealth. Some variants adopt the name amd_mem_encrypt, impersonating a legitimate AMD memory driver to blend in with system processes.
Deep Dive into VoidLink’s Architecture
Analysts at Elastic Security Labs uncovered the malware’s intricate architecture after obtaining a data dump containing VoidLink’s source code, compiled binaries, and deployment scripts. This trove of information allowed researchers to dissect the rootkit’s operational mechanisms.
The data dump revealed a multi-generational rootkit framework, indicating a continuous development cycle and extensive testing across various real-world Linux systems, from CentOS 7 to Ubuntu 22.04. Every source file within the dump was annotated in Simplified Chinese, and infrastructure references pointed to Alibaba Cloud IP addresses—8.149.128[.]10 and 116.62.172[.]147—strongly suggesting a connection to a Chinese-speaking threat actor.
The operational impact of VoidLink is substantial. It can effectively conceal running processes, active network connections, and files from system administrators. Furthermore, it maintains a covert command channel via ICMP, operating without visible ports or traffic, making its presence exceedingly difficult to detect and analyze. The most recent iteration, dubbed Ultimate Stealth v5, incorporates advanced evasion techniques such as delayed hook installation, anti-debugging timers, process kill protection, and XOR-obfuscated module names, rendering forensic investigations exceptionally challenging.
VoidLink is not merely a standalone tool; its boot loader script, load_lkm.sh, actively scans for and hides fileless implants running from anonymous memory file descriptors upon activation. This behavior confirms that VoidLink is designed to protect a companion implant—likely a reverse shell—that is already active on the compromised system.
A Two-Layer Hiding System
The most technically innovative aspect of VoidLink is its hybrid architecture, which strategically divides stealth operations between two distinct components. While most Linux rootkits typically rely on a single concealment method—be it an LKM, an eBPF program, or an injected shared library—VoidLink simultaneously deploys both, with each component specializing in the tasks it performs most effectively.
The LKM component leverages the Linux kernel’s function tracing framework to hook critical system calls. It intercepts getdents64 directory listings to obscure files and processes, and it filters the output of /proc/modules and /proc/kallsyms to erase its own traces. Additionally, it establishes a covert command channel through Netfilter hooks, processing XOR-encrypted operator instructions hidden within ordinary ping packets without generating any visible replies.
The eBPF component addresses a critical blind spot that the LKM cannot cover: hiding active connections from the ss command. Unlike netstat, which retrieves information from /proc/net/tcp, the ss utility queries the kernel via Netlink sockets—a data path that bypasses the LKM’s control. VoidLink’s eBPF program hooks __sys_recvmsg and meticulously modifies Netlink responses directly in userspace memory. Instead of simply deleting hidden entries, which would corrupt the message chain, it “swallows” them by extending the length field of the preceding message. This manipulation causes the ss parser to skip the hidden connection, interpreting it as padding.
This sophisticated eBPF technique required significant development effort. Researchers observed at least 10 versions of the eBPF program, from hide_ss_v1.bpf.c through hide_ss_v9.bpf.c, demonstrating extensive iteration and real-world testing on live systems before this stable and effective method was achieved.
What You Should Do
- Enable Secure Boot and Kernel Module Signing: Implement Secure Boot and enforce kernel module signing to prevent unauthorized Loadable Kernel Modules (LKMs) from loading onto your systems.
- Activate Kernel Lockdown Mode: For Linux systems running kernel 5.4 or newer, enable kernel lockdown mode to restrict sensitive kernel operations, even for root users.
- Audit Module Activity: Configure Auditd to monitor
init_moduleandfinit_modulesyscalls. This will help detect unexpected or unauthorized module loading activity early. - Restrict eBPF Usage: Mitigate eBPF abuse risks by restricting the
bpf()syscall through seccomp profiles and enablingkernel.unprivileged_bpf_disabled. - Cross-Reference System Utilities: Regularly cross-reference output from various tools like
psandsswith direct inspections of/procdirectory entries. This method can help uncover hidden activity that individual monitoring tools might miss due to rootkit manipulation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.