Some kind of opensource ish malware framework the kids are running that can use eBPF …. In addition to limiting CAP_BPF or CAP_SYS_ADMIN you should also take other measures.
Hey, I don’t hate you, but I feel like Ghostty has users.
Is it critical software? Unsure- it will feel critical if it hangs when you’re doing some data processing via a shell its running- but that's besides the point.
Maybe “production” requires it being used for a backend? ;)
Targeting containerized environments, VoidLink seems most sensible when accompanying universal exploits like the xz backdoor. May be indicative of continuing efforts and confidence to infiltrate the base Linux ecosystem. I imagine, this framework isn't primarily used for targeted attacks and espionage, but rather as rapid staging ground for "cyber warfare" operations.
> Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines.
That's good for me, as I develop on a Linux laptop but I never really understood why that is the case. I know that most people are on Windows so B2C malware naturally runs on Windows. However basically all the Internet infrastructure is on Linux and B2B malware should have been targeting that since a long time.
Linux malware looks different usually. This kind of plugin based framework running as its own process is uncommon, but web shells with similar functionality have been around for a while. And bad guys like working in the shell on Linux too, just a simple binary that reads commands from a socket is often all they need, but doesn't make for very fascinating blog posts. Some just install cloudflared, nothing custom needed at all.
Even slightly higher barriers greatly reduces attempts, and the developers have much more practice at it. Rootkits and such for unix/linux have been around forever, but with VMs and containers getting recycled and such and long term expectations around impermanence and thus programmatically recreated and verifiable configurations, it's a lot harder to get something to stick without being found.
On top of that is the user interactivity model and software distribution model. For most non-admins the various protection schemes on Windows are a choice between "use my computer" and "don't use my computer" and thus basically meaningless. Plus there are fewer centrally managed repos because so much Windows software is hostile to being managed that way and large companies all have to build their own, and small organizations generally give up trying. Quick, hands-off integrity checks on linux can happen in the background and generally won't explode things.
Logging is a factor too. Windows logging tends to be "nothing" or "tsunami" with not a lot in between, and when log monitoring solutions charge by volume and analysts have to comb through oceans of noise to identify potentially dangerous activity, the end result is much less effective watchdogs. I've seen a lot of "Windows -> low cost log monitor doing filtering -> high cost log monitor that people actually look at" due to this, which is obviously harder to manage and less effective.
Most of this can be made the case for Windows, of course, but often isn't because getting Windows into a desired state is such a pain in the ass that it trains people into the "don't touch it, it's working!" mindset. Microsoft was making real strides towards this 20 years ago but their current product management has been security counterproductive IMHO. Doing things in the OS that look a lot like malware turns out to not be a good idea.
When we were developing attacks for unix environments it was often easier to go after the application deployment or CI chains than try to root the box unless there was a juicy SSHD or bash or whatever bug, which have been highly publicized are usually rapidly fixed without needing major effort from endpoint managers.
If you've ever worked in the node ecosystem you'd be surprised at the amount of devs that blindly run `sudo npm i -g ...`. Not to mention `curl ... | sudo bash`. The industry is very bad at teaching developers good hygiene on their machines.
lol there’s no real technical details in this article sadly. Checkpoint has a better analysis.
https://research.checkpoint.com/2026/voidlink-the-cloud-nati...
Some kind of opensource ish malware framework the kids are running that can use eBPF …. In addition to limiting CAP_BPF or CAP_SYS_ADMIN you should also take other measures.
>VoidLink is an impressive piece of software, written in Zig for Linux
Finally, Zig has a user in production /s
(I like Zig, it's a joke, don't hate me)
Hey, I don’t hate you, but I feel like Ghostty has users.
Is it critical software? Unsure- it will feel critical if it hangs when you’re doing some data processing via a shell its running- but that's besides the point.
Maybe “production” requires it being used for a backend? ;)
An B2B SaaS platform with an amazing plugin ecosystem that works on my Kubernetes cluster, for any Linux distribution, written in Zig?
Where do I sign up?
It's only Linux malware if it has a GPL or other FOSS license. This is just untrustworthy code.
--Linux users, probably
It's called GNU/malware.
Targeting containerized environments, VoidLink seems most sensible when accompanying universal exploits like the xz backdoor. May be indicative of continuing efforts and confidence to infiltrate the base Linux ecosystem. I imagine, this framework isn't primarily used for targeted attacks and espionage, but rather as rapid staging ground for "cyber warfare" operations.
> Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines.
That's good for me, as I develop on a Linux laptop but I never really understood why that is the case. I know that most people are on Windows so B2C malware naturally runs on Windows. However basically all the Internet infrastructure is on Linux and B2B malware should have been targeting that since a long time.
Linux malware looks different usually. This kind of plugin based framework running as its own process is uncommon, but web shells with similar functionality have been around for a while. And bad guys like working in the shell on Linux too, just a simple binary that reads commands from a socket is often all they need, but doesn't make for very fascinating blog posts. Some just install cloudflared, nothing custom needed at all.
Even slightly higher barriers greatly reduces attempts, and the developers have much more practice at it. Rootkits and such for unix/linux have been around forever, but with VMs and containers getting recycled and such and long term expectations around impermanence and thus programmatically recreated and verifiable configurations, it's a lot harder to get something to stick without being found.
On top of that is the user interactivity model and software distribution model. For most non-admins the various protection schemes on Windows are a choice between "use my computer" and "don't use my computer" and thus basically meaningless. Plus there are fewer centrally managed repos because so much Windows software is hostile to being managed that way and large companies all have to build their own, and small organizations generally give up trying. Quick, hands-off integrity checks on linux can happen in the background and generally won't explode things.
Logging is a factor too. Windows logging tends to be "nothing" or "tsunami" with not a lot in between, and when log monitoring solutions charge by volume and analysts have to comb through oceans of noise to identify potentially dangerous activity, the end result is much less effective watchdogs. I've seen a lot of "Windows -> low cost log monitor doing filtering -> high cost log monitor that people actually look at" due to this, which is obviously harder to manage and less effective.
Most of this can be made the case for Windows, of course, but often isn't because getting Windows into a desired state is such a pain in the ass that it trains people into the "don't touch it, it's working!" mindset. Microsoft was making real strides towards this 20 years ago but their current product management has been security counterproductive IMHO. Doing things in the OS that look a lot like malware turns out to not be a good idea.
When we were developing attacks for unix environments it was often easier to go after the application deployment or CI chains than try to root the box unless there was a juicy SSHD or bash or whatever bug, which have been highly publicized are usually rapidly fixed without needing major effort from endpoint managers.
> Logging is a factor too. Windows logging tends to be "nothing" or "tsunami" with not a lot in between
You forgot mysterious GUID that shows up on exactly one forum post on the Internet with no solution.
From 10 years on an abandoned Microsoft forum, yes. Trust me, I'm TRYING to forget about those.
Or only in search results that link to... a 404 on Microsoft's site.
cloud servers have devs/admins keeping an eye on them
cloud providers monitor internal traffic and can detect a lot of malware activity, so you need stealthier ones
I think it's just that there's more bounty on the Windows side: more business users, more credentials to steal, etc.
trash ad for linux antivirus. who uses that anyway?
Ah, classic, the solution to your problem is a bigger problem!
Step 1 -> install anti virus protection
Step 2 -> expose yourself to viruses via the protection method
Step 3 -> pay for more virus protection
The infinite flywheel!
Good news! There's a Cloudstrike sensor for Linux! ;)
>With no indication that VoidLink is actively targeting machines, there’s no immediate action required by defenders,
Plus no mention of how these machines get "infected". My guess is the admin will need to download something and manually install it. So a root kit ?
I wish these articles would mention how these "most advance malware" gets on your system.
If you've ever worked in the node ecosystem you'd be surprised at the amount of devs that blindly run `sudo npm i -g ...`. Not to mention `curl ... | sudo bash`. The industry is very bad at teaching developers good hygiene on their machines.
it probably has multiple ways - infected npm packages, quickly exploiting CVEs before they are patched, ...
and here I am with my main PC with CPU mitigations off and SE Linux completely removed
come at me bro