Overview
- The report, published January 13, names the previously undocumented framework VoidLink and provides indicators of compromise and mitigation guidance after initial discovery in December 2025.
- VoidLink exposes a custom Plugin API inspired by Beacon Object Files, supporting more than 30 modules for reconnaissance, credential theft, persistence, lateral movement, and anti-forensics.
- The toolkit profiles cloud and container contexts, detecting AWS, GCP, Azure, Alibaba, and Tencent, adapting for Docker or Kubernetes, and harvesting developer secrets such as SSH keys, Git credentials, tokens, and API keys.
- Stealth features include LD_PRELOAD, LKM, and eBPF-based rootkits, runtime code encryption, anti-debug checks, self-deletion on tampering, and a risk-scoring approach that throttles activity in hardened environments.
- Networking supports HTTP/HTTPS, WebSocket, DNS tunneling, and ICMP wrapped in a custom encrypted layer dubbed VoidStream, with options for peer-to-peer or mesh-style communications and a web-based builder/dashboard observed in Chinese.