{
  "name": "Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework",
  "slug": "illuminating-voidlink-technical-analysis-of-the-voidlink-rootkit-framework",
  "description": "Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink employs advanced techniques like delayed initialization, runtime key rotation, and a hybrid LKM-eBPF architecture for comprehensive stealth. Notable features include an ICMP-based covert channel, process protection, and memfd-aware boot loading. Evidence suggests AI-assisted development, lowering the barrier for kernel-level rootkit creation. Detection strategies and defensive recommendations are provided to counter this emerging threat.",
  "published": "2026-03-26T10:59:44+00:00",
  "created_at": "2026-03-26T10:59:44+00:00",
  "modified_at": "2026-03-26T23:10:51+00:00",
  "created_at_opencti": "2026-03-26T10:59:44+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-26",
    "ai-assisted",
    "lkm",
    "rootkit",
    "stealth",
    "voidlink"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "8.149.128.10"
      },
      {
        "id": "",
        "name": "116.62.172.147"
      }
    ],
    "malware": [
      {
        "id": "1d2cf21a-00a2-4021-9d21-3e02c35814c2",
        "name": "VoidLink",
        "slug": "voidlink"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "b9a3b4f8-b9c0-4ed8-bf5e-bf759b9804d6",
        "name": "T1564"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "41af8283-2fa5-469e-9c29-e8ad77b4f224",
        "name": "T1014"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "6aa7866f-9c1f-4159-938a-10a6adf41646",
        "name": "T1553"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "1e1b6cb4-44b5-4e17-b267-bcb104acb1d4",
        "name": "T1546"
      },
      {
        "id": "7abb6e8c-d357-49ef-9244-017043055224",
        "name": "T1205"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69c51fb010f23603d7d217ea",
    "https://www.elastic.co/security-labs/illuminating-voidlink"
  ]
}