Back to Intelligence

VoidLink Linux C2 Framework: Detecting Multi-Cloud Credential Theft and AI-Generated Malware

SA
Security Arsenal Team
April 12, 2026
6 min read

Security researchers have identified VoidLink, a sophisticated Linux-based Command and Control (C2) framework specifically designed to target cloud infrastructure. What sets VoidLink apart is its utilization of AI-generated code (likely leveraging Large Language Models) to rapidly develop polymorphic malware that evades traditional signature-based detection.

The malware is engineered to harvest credentials from major cloud providers—including AWS, Azure, and Alibaba Cloud—facilitating unauthorized data transfer across multi-cloud environments. For SOC analysts and cloud defenders, this represents a significant escalation in the threat landscape: automated, obfuscated code generation targeting the keys to the kingdom. Immediate action is required to hunt for persistence mechanisms and abnormal access to cloud credential files.

Technical Analysis

Affected Platforms:

  • Linux distributions (Kernel-independent, written in Go/Golang).
  • Cloud environments: AWS, Azure, Alibaba Cloud, Google Cloud Platform (via credential harvesting).

Attack Chain & Capabilities:

  • Initial Access: VoidLink typically arrives as a malicious binary often masquerading as legitimate system utilities (e.g., ps, netstat, ss) or disguised as system updates.
  • Execution: The payload is a Go binary, which is cross-compiled to run on various Linux architectures without dependencies.
  • Credential Theft: The malware specifically targets standard cloud credential storage locations, including:
    • ~/.aws/credentials and ~/.aws/config
    • ~/.azure/accessTokens. and ~/.azure/config
    • ~/.config/gcloud/legacy_credentials/
    • ~/.docker/config.
    • /etc/passwd and /etc/shadow (for local privilege escalation)
  • AI-Generated Evasion: The use of AI in coding the malware allows for rapid modification of code structure and logic to bypass static analysis and heuristic engines that look for standard malware patterns.
  • Persistence: VoidLink establishes persistence by creating systemd services or cron jobs, ensuring the C2 beacon survives reboots.
  • Exfiltration: Once credentials are obtained, the malware utilizes the native APIs of the compromised cloud providers to transfer data laterally to external storage controlled by the attacker, blending in with legitimate traffic.

Exploitation Status:

  • Active in-the-wild: Confirmed targeting of Linux servers exposed to the internet.
  • KEV Status: Not yet on CISA KEV, but represents an active campaign targeting high-value assets.

Detection & Response

Sigma Rules

The following Sigma rules target the specific file access patterns and persistence mechanisms associated with VoidLink. These assume Linux auditing or endpoint detection logs (Sysmon for Linux or AuditD) are forwarding process creation and file access events.

YAML
---
title: VoidLink Cloud Credential File Access
id: 8f4c2d1e-5a6b-4c7d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects processes accessing specific cloud credential files often targeted by VoidLink. Legitimate CLIs (aws, az, gcloud) will trigger this; filter as needed based on parent process and binary path.
references:
  - https://www.infosecurity-magazine.com/news/voidlink-malware-multi-cloud-ai/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  product: linux
  category: file_access
detection:
  selection:
    TargetFilename|contains:
      - '/.aws/credentials'
      - '/.aws/config'
      - '/.azure/accessTokens.'
      - '/.azure/config'
      - '/.config/gcloud/legacy_credentials/'
      - '/.docker/config.'
  filter_main_cli:
    ProcessName|endswith:
      - 'aws'
      - 'az'
      - 'gcloud'
      - 'docker'
  condition: selection and not filter_main_cli
falsepositives:
  - Custom scripts managing cloud infrastructure
  - Legitimate administrators accessing these files manually
level: high
---
title: VoidLink Systemd Persistence Creation
id: 9a5d3e2f-6b7c-5d8e-0f1a-2b3c4d5e6f7a
status: experimental
description: Detects the creation of systemd service files in the system directory, a common persistence method for Linux malware like VoidLink.
references:
  - https://www.infosecurity-magazine.com/news/voidlink-malware-multi-cloud-ai/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.persistence
  - attack.t1543.002
logsource:
  product: linux
  category: file_creation
detection:
  selection:
    TargetFilename|startswith: '/etc/systemd/system/'
    TargetFilename|endswith: '.service'
  filter_system:
    SubjectUserName|contains: 'root'
  condition: selection
falsepositives:
  - System administrator package installation
  - Legitimate software updates
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query focuses on DeviceProcessEvents (Microsoft Defender for Endpoint on Linux) to identify processes reading cloud credential files that are not the standard CLI tools.

KQL — Microsoft Sentinel / Defender
// Hunt for VoidLink behavior: Suspicious processes accessing cloud credential files
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName !in ("aws", "az", "gcloud", "docker", "kubectl", "terraform")
| where ProcessCommandLine has @".aws/" 
   or ProcessCommandLine has @".azure/" 
   or ProcessCommandLine has @"gcloud/" 
   or ProcessCommandLine has @".docker/"
| where ProcessCommandLine has @"credentials" or ProcessCommandLine has @"config"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc

Velociraptor VQL

This Velociraptor artifact hunts for the presence of Go binaries (commonly used by VoidLink) in temporary directories and checks for modifications to cloud credential files.

VQL — Velociraptor
-- Hunt for suspicious Go binaries and cloud credential modifications
SELECT 
  OSPath.Basename AS ProcessName,
  OSPath.Path AS ProcessPath,
  Size,
  Mode.String AS Permissions,
  Mtime AS ModifiedTime
FROM glob(globs="/*")
WHERE 
  -- Look for binaries in common execution paths that are Go executables (often static)
  OSPath.Path =~ "^/(tmp|var/tmp|dev/shm)/" 
  AND Mode.String =~ "^.*x.*$"
  AND Mtime > now() - 7d

UNION

SELECT 
  FullPath,
  Size,
  Mtime AS ModifiedTime,
  Atime AS AccessedTime
FROM glob(globs=[
  "/home/*/.aws/credentials", 
  "/home/*/.aws/config", 
  "/home/*/.azure/accessTokens.", 
  "/home/*/.azure/config",
  "/root/.aws/credentials",
  "/root/.azure/config"
])
WHERE Mtime > now() - 7d

Remediation Script (Bash)

This script aids in the identification of potential VoidLink persistence mechanisms and malicious binaries.

Bash / Shell
#!/bin/bash

# VoidLink Remediation Script
# Usage: sudo ./voidlink_remediate.sh

echo "[*] Starting VoidLink Indicators Check..."

# 1. Check for Go binaries in suspicious directories (VoidLink is written in Go)
echo "[*] Scanning for Go binaries in /tmp, /var/tmp, /dev/shm..."
find /tmp /var/tmp /dev/shm -type f -executable -file "ELF*" 2>/dev/null | while read file; do
    if file "$file" | grep -q "Go"; then
        echo "[!] Suspicious Go binary found: $file"
        # Hash the file for investigation
        sha256sum "$file"
    fi
done

# 2. Check Systemd services for unusual paths
echo "[*] Checking systemd services for suspicious ExecStart paths..."
for service in /etc/systemd/system/*.service; do
    if [ -f "$service" ]; then
        # Extract ExecStart path
        exec_path=$(grep -E '^ExecStart=' "$service" | cut -d= -f2 | awk '{print $1}')
        if [[ "$exec_path" =~ /tmp/ ]] || [[ "$exec_path" =~ /var/tmp/ ]] || [[ "$exec_path" =~ /dev/shm/ ]]; then
            echo "[!] Suspicious systemd service detected: $service"
            echo "    ExecPath: $exec_path"
        fi
    fi
done

# 3. Check for recent modifications to cloud credential files
echo "[*] Checking for recent credential file access/modification..."
find /root /home -name "credentials" -o -name "config" 2>/dev/null | grep -E "(\.aws|\.azure|gcloud)" | while read file; do
    stat "$file" | grep -E "Modify:|Access:"
done

echo "[*] Check complete. If suspicious binaries are found, isolate the host and initiate forensic acquisition."

Remediation

  1. Credential Rotation: If VoidLink is detected, assume compromise. Immediately rotate all Access Keys, Secret Keys, and Service Principal credentials associated with the affected environment.
  2. Isolate and Image: Isolate the infected Linux host from the network to prevent further data exfiltration. Acquire a full memory and disk image for forensic analysis.
  3. Remove Persistence: Identify and remove the malicious systemd service or cron job.
    • systemctl stop [suspicious_service_name]
    • systemctl disable [suspicious_service_name]
    • rm /etc/systemd/system/[suspicious_service_name].service
    • systemctl daemon-reload
  4. Binary Removal: Delete the malicious binary identified during the investigation. Check for backups or copies created by the malware.
  5. Audit Cloud Logs: Audit AWS CloudTrail, Azure Monitor, and Alibaba Cloud ActionTrail logs for API calls made during the period of compromise. Look for unrecognized user agents or source IPs.
  6. Hunting: Use the provided Sigma rules and VQL artifacts across the entire Linux estate to identify lateral movement or other compromised hosts.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsvoidlinklinux-malwarecloud-securitycredential-theftgolang

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action