{ "Event": { "analysis": "1", "date": "2026-03-26", "extends_uuid": "", "info": "[Threat Intel] Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework", "protected": false, "publish_timestamp": "1775900433", "published": true, "threat_level_id": "3", "timestamp": "1775900433", "uuid": "45046e2d-592e-4bf0-aabe-f5b11537cd98", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#91ee5f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rootkit - T1014\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#e76389", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#4e866e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Traffic Signaling - T1205\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#e0f4bc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Event Triggered Execution - T1546\"", "relationship_type": "" }, { "colour": "#3b33aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Subvert Trust Controls - T1553\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609232", "to_ids": false, "type": "link", "uuid": "0976e87b-c319-4eb7-8984-7027013759fa", "value": "https://www.elastic.co/security-labs/illuminating-voidlink" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774609232", "to_ids": false, "type": "text", "uuid": "0a805fff-596e-4dfa-b70c-3171a44b1c0e", "value": "Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink employs advanced techniques like delayed initialization, runtime key rotation, and a hybrid LKM-eBPF architecture for comprehensive stealth. Notable features include an ICMP-based covert channel, process protection, and memfd-aware boot loading. Evidence suggests AI-assisted development, lowering the barrier for kernel-level rootkit creation. Detection strategies and defensive recommendations are provided to counter this emerging threat." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774609232", "to_ids": false, "type": "text", "uuid": "0ab487f9-4333-433f-932f-f96237f46089", "value": "Name: Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework\nAuthor: AlienVault\nAdversary: \nTags: [\"rootkit\", \"stealth\", \"ai-assisted\", \"lkm\", \"voidlink\"]\nTgtd countries: []\nMlwr families: [\"VoidLink\"]\nAttack_ids: [\"T1014\", \"T1543\", \"T1564\", \"T1082\", \"T1562\", \"T1036\", \"T1055\", \"T1205\", \"T1016\", \"T1070\", \"T1083\", \"T1497\", \"T1057\", \"T1574\", \"T1027\", \"T1546\", \"T1553\", \"T1095\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888719", "to_ids": true, "type": "ip-dst", "uuid": "942950de-e3d1-44e0-b2fd-9f53a5edf942", "value": "116.62.172.147", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888740", "to_ids": true, "type": "ip-dst", "uuid": "82afba65-e6e6-40dc-91b5-b108ab13a2c1", "value": "8.149.128.10", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }