VoidLink is a new Linux rootkit family that combines classic kernel modules with eBPF to hide processes and network activity deep inside modern cloud environments.
It targets distributions from CentOS 7 up to Ubuntu 22.04, giving attackers a stealthy way to persist across a wide range of kernel versions.
VoidLink is part of a broader cloud-native malware framework first exposed in early 2026, built as a modular command-and-control platform with more than 30 plugins.
The rootkit component is delivered as loadable kernel modules (LKMs) named either vlstealth or a fake AMD driver, amdmemencrypt, backed by companion eBPF programs for network hiding.
Elastic Security Labs analyzes VoidLink a sophisticated Linux malware framework that combines traditional Loadable Kernel Modules with eBPF to maintain persistence.
Check Point presented compelling evidence that VoidLink was developed almost entirely through AI-assisted workflows using the TRAE integrated development environment (IDE).
The code and build artifacts recovered from a leaked development dump show multiple generations of this kernel, indicating long-running real-world testing on Linux servers.
Hybrid LKM–eBPF Stealth
VoidLink stands out for its hybrid architecture, where the LKM handles deep kernel hooks and the eBPF code focuses on hiding from modern tooling.
The module uses ftrace hooks to intercept key paths like getdents64, vfs_read, and dos_send_sig_info, enabling process hiding, file and module log scrubbing, and protection against killing selected PIDs.
At the same time, an attached eBPF program hooks sys_recvmsg and rewrites Netlink responses in user memory so that the ss utility never sees hidden TCP ports, even though netstat output is also filtered via traditional kernel hooks.
Control of the rootkit is handled through a covert command channel that rides on ICMP echo requests instead of listening sockets.
Specially crafted ping packets tagged with a magic ID (default 0xC0DE) are intercepted by Netfilter hooks, decrypted with a single-byte XOR key, and interpreted as commands such as hide PID, hide port, grant root, or self-destruct.
Operators can rotate both the ICMP magic and XOR key at runtime, making static network signatures brittle and forcing defenders to rely on behavioral anomalies like missing echo replies.
Advanced Evasion Features
Later VoidLink generations introduce delayed initialization and active anti-forensics logic tailored for modern EDR.
The latest “Ultimate Stealth v5” variant waits several seconds after module load before installing ftrace hooks, Netfilter handlers, and removing itself from the module list, evading tools that only scan immediately after insmod or modprobe events.
A recurring kernel timer scans for debugging and analysis tools such as strace, gdb, bpftool, and rootkit scanners, allowing operators to pause hiding or trigger self-destruction when forensic activity is detected.
Despite its sophistication, VoidLink still leaves detectable traces if defenders cross-check multiple views of the system.
Inconsistencies between ps output and /proc entries, between ss and /proc/net/tcp, or between lsmod and /sys/module can signal that a kernel rootkit is tampering with visibility.
Recommended defenses include enforcing Secure Boot and signed modules, monitoring audit logs for module load syscalls, restricting or turning off unneeded eBPF capabilities, and running integrity checks from a trusted environment that VoidLink cannot hook.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
