detection rulehost

VoidLink on-disk footprint

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

HostVoidLink on-disk footprint

# masqueraded agent + DDoS modules
sudo ls -la /usr/local/bin/.systemd-network-monitor /usr/local/bin/.fleet-* 2>/dev/null
# persistence unit + boot cron
sudo ls -la /etc/systemd/system/systemd-network-monitor.service 2>/dev/null; sudo crontab -l 2>/dev/null | grep -F systemd-network-monitor
# userland rootkit hook + state directory
sudo grep -s LD_PRELOAD /etc/systemd/system/systemd-network-monitor.service; sudo ls -la /var/cache/systemd-network/ 2>/dev/null

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Host
The botnet implant leaves a distinctive on-disk footprint (note the leading dots on the binary names). Any of these on a production host is high-confidence compromise.
2026-06-10