New China Linked VoidLink Linux Malware Targets Major Cloud Providers

Researchers have discovered VoidLink, a sophisticated new Linux malware framework designed to infiltrate AWS, Google Cloud, and Azure. Learn how this Chinese-affiliated toolkit uses adaptive stealth to stay hidden.

In December 2025, cybersecurity experts at Check Point Research (CPR) discovered a sophisticated new toolkit called VoidLink. While most hackers target Windows, VoidLink is a cloud-first threat built specifically to live inside Linux-based cloud environments used by major corporations.

The research reveals that the developers, likely a Chinese-affiliated group, possess elite technical skills. They are proficient in languages like Zig, Go, C, and React, and they even created a professional web dashboard in Chinese to control their targets.

How VoidLink Operates

VoidLink is remarkably intelligent. Once it infects a system, it automatically checks if it is running on Amazon (AWS), Google Cloud, Microsoft Azure, Alibaba, or Tencent. There are even plans to expand this list to include DigitalOcean and Huawei.

Once ...