Skip to content
.ca
sign in
6 mincritical

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

VoidLink is a cloud-native Linux malware framework that employs a hybrid Loadable Kernel Module (LKM) and eBPF architecture to achieve deep system concealment. It features advanced evasion techniques such as delayed initialization, an ICMP covert command channel, and eBPF-driven manipulation of Netlink sockets to hide network connections from diagnostic tools. Analysis indicates the framework was developed iteratively using AI-assisted workflows, highlighting a growing trend of LLM-facilitated malware creation.

Conf:highAnalyzed:2026-03-25reports

Authors: Elastic Security Labs

ActorsChinese-speaking threat actor
LinuxLKMVoidLinkeBPFRootkit

Source:Elastic Security Labs

IOCs · 3
  • filename
    amd_mem_encrypt.koMasqueraded LKM rootkit module impersonating a legitimate AMD driver.
  • filename
    hide_ss.bpf.oeBPF component responsible for hiding network connections from the 'ss' utility.
  • filename
    vl_stealth.koProduction LKM rootkit module.

Key Takeaways

  • VoidLink is a sophisticated Linux rootkit utilizing a rare hybrid Loadable Kernel Module (LKM) and eBPF architecture.
  • The malware uses eBPF to hide network connections from the 'ss' utility by manipulating Netlink socket responses directly in userspace memory.
  • It features an ICMP-based covert command channel with runtime key rotation, XOR-encrypted payloads, and silently dropped packets.
  • Advanced evasion techniques include delayed hook installation to bypass synchronous EDR checks, anti-debugging timers, and process kill protection.
  • Strong source code evidence indicates the rootkit was developed iteratively using AI-assisted workflows (LLMs), lowering the barrier for kernel-level malware creation.

Affected Systems

  • Linux (CentOS 7 through Ubuntu 22.04)
  • Linux Kernel versions 3.10 through 6.2

Attack Chain

The attack begins with the deployment of a fileless implant running from a memfd file descriptor. A boot script (load_lkm.sh) scans for these memfd processes and loads the VoidLink LKM (vl_stealth.ko) with parameters to hide them immediately. The LKM delays hook installation by three seconds to evade synchronous security checks, then installs ftrace hooks and an ICMP Netfilter handler. An eBPF companion program is loaded to hide network connections from the 'ss' utility by manipulating Netlink responses. The operator then controls the rootkit via an ICMP covert channel, sending XOR-encrypted commands to hide further processes, elevate privileges, or rotate C2 keys.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: Yes
  • Splunk SPL Queries: No
  • EQL Queries: Yes
  • Other Detection Logic: Yes
  • Platforms: Elastic Security, Auditd, YARA

The article provides a YARA rule for detecting VoidLink LKM variants, EQL queries for detecting kernel module loading, Auditd configurations for module tracking, and a KQL/Lucene query for detecting the abuse of the bpf_probe_write_user helper in syslog.

Detection Engineering Assessment

EDR Visibility: Medium — The rootkit operates at the kernel level and actively evades standard EDR hooks by delaying initialization and filtering procfs/sysfs reads. However, EDRs monitoring module loads, raw Netlink sockets, or eBPF program loads can detect the initial deployment. Network Visibility: Low — C2 traffic uses custom ICMP Echo Requests with XOR-encrypted payloads that are silently dropped by the rootkit, meaning no Echo Replies are sent. This requires correlating unanswered ICMP requests. Detection Difficulty: Hard — The rootkit uses a hybrid LKM/eBPF approach, filters standard forensic tools, masquerades as a legitimate AMD driver, and hides its own C2 traffic and network connections from standard utilities like netstat and ss.

Required Log Sources

  • Auditd (init_module, finit_module)
  • Syslog (kernel messages)
  • eBPF program logs
  • Process execution logs (kmod/insmod)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for discrepancies between process listings from standard utilities (ps) and raw directory listings of /proc to identify hidden processes.Endpoint process and file system enumeration scriptsDefense EvasionLow
Identify hidden network connections by comparing the output of 'ss' or 'netstat' against direct reads of /proc/net/tcp.Endpoint network state enumeration scriptsDefense EvasionLow
Monitor kernel syslog messages for the execution of the 'bpf_probe_write_user' helper, which is typically used for debugging but abused by this rootkit to modify userspace memory.Kernel syslogDefense EvasionMedium
Hunt for unanswered ICMP Echo Requests originating from external IPs, which may indicate the rootkit's covert C2 channel silently dropping command packets.Network traffic (PCAP/NetFlow)Command and ControlHigh
Check /sys/kernel/debug/tracing/enabled_functions for unexpected ftrace hooks on critical syscalls like __x64_sys_getdents64 or vfs_read.Endpoint file system reads (from a trusted state/live boot)Defense EvasionLow

Control Gaps

  • Standard EDR process monitoring (bypassed via ftrace hooks)
  • Standard network monitoring (bypassed via eBPF Netlink manipulation)

Key Behavioral Indicators

  • Unanswered ICMP Echo Requests
  • bpf_probe_write_user in syslog
  • Processes running from memfd file descriptors
  • Discrepancies between ps and /proc

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit loaded kernel modules and eBPF programs using trusted tools or live boot environments.
  • Investigate systems with unanswered inbound ICMP Echo Requests.

Infrastructure Hardening

  • Enforce Secure Boot and kernel module signing to prevent unauthorized LKM loading.
  • Enable kernel lockdown mode to restrict direct memory access and unsigned modules.
  • Disable unprivileged BPF via sysctl (kernel.unprivileged_bpf_disabled=1).
  • Restrict the bpf() syscall using seccomp profiles or LSM policies.

User Protection

  • Deploy EDR solutions capable of monitoring eBPF program loads and raw kernel module insertions.

Security Awareness

  • Educate SOC analysts on the emerging threat of AI-assisted malware development lowering the barrier for sophisticated rootkits.

MITRE ATT&CK Mapping

  • T1014 - Rootkit
  • T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1095 - Non-Application Layer Protocol
  • T1036.005 - Masquerading: Match Legitimate Name or Location
  • T1620 - Reflective Code Loading

Additional IOCs

  • File Paths:
    • /root/kernel5x_new/vl_stealth.ko - Hard-coded module path used by the boot loader script.
    • /var/log/vl_boot.log - Boot loader log file.
    • /sys/fs/bpf/vl_hide_tcp - Pinned BPF map used by the eBPF override variant.
  • Command Lines:
    • Purpose: Load the kernel module with initialization parameters to hide specific PIDs and ports immediately. | Tools: insmod | Stage: Execution/Persistence | insmod vl_stealth.ko init_pids=
    • Purpose: Send ICMP covert channel commands to the rootkit to hide a specific process ID. | Tools: icmp_ctl.py, python | Stage: Command and Control | ./icmp_ctl.py <ip> hide_pid
  • Other:
    • 0xC0DE - Default ICMP magic identification value used in the covert channel.
    • 0x42 - Default XOR encryption key used for ICMP command payloads.
    • AMD Memory Encryption Support - Masqueraded MODULE_DESCRIPTION string used to impersonate legitimate AMD drivers.
    • Advanced Micro Devices, Inc. - Masqueraded MODULE_AUTHOR string used to impersonate legitimate AMD drivers.
    • 8080 - Default network port hidden by the rootkit.
    • ss_loader - eBPF loader binary filename.
    • icmp_ctl.py - ICMP C2 control script filename.
    • load_lkm.sh - Boot-time persistence loader script filename.

Related