Threat Research

VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits | Sysdig

Sysdig
VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits | Sysdig

Sysdig TRT’s analysis of VoidLink describes a Chinese-developed, Zig-built Linux malware framework that uses a three-stage fileless loader, serverside rootkit compilation (SRC) to produce kernel modules per-target, and multiple stealth/control channels including prctl, eBPF, and an ICMP covert channel. Despite advanced adaptive evasion, VoidLink’s memfd_create/execveat fileless execution, eBPF and kernel-module activity, and other runtime behaviors are detectable with tools like Falco and Sysdig Secure. #VoidLink #Sysdig

Keypoints

  • VoidLink is a Chinese-developed Linux malware framework written in Zig that uses a three-stage, fileless loader (Stage 0 → Stage 1 → implant) and executes payloads from memory via memfd_create + execveat to minimize on-disk artifacts.
  • Serverside Rootkit Compilation (SRC) is a core innovation: the C2 compiles kernel modules on demand for each target kernel version, solving kernel portability without bloating the implant.
  • The framework implements a sophisticated rootkit with multiple deployment methods (eBPF, LKM, hybrid), syscall and kretprobe hooks, netfilter ICMP handling, and module self-hiding to conceal activity from tools like netstat, ss, lsmod, and /proc listings.
  • Adaptive profiling detects security products (EDR/CDR/XDR), debuggers, and Frida, and dynamically adjusts beacon timing and behavior (aggressive, paranoid, low_activity, simulate_normal) to reduce detection risk.
  • VoidLink includes cloud-native capabilities: container and Kubernetes plugins for escape and privilege escalation, metadata endpoint checks for AWS/GCP/Alibaba/Tencent, and logic to exploit common misconfigurations.
  • Multiple redundant control channels exist: prctl magic interface, eBPF/BPF map updates, and an ICMP covert channel (magic ID 0xC0DE) with a built-in Python control script and a comprehensive self-destruct routine.
  • Detection and mitigation are possible via runtime monitoring—Falco/Sysdig Secure rules detect memfd fileless execution, bpf/syscall activity, kernel module injection, and eBPF program loads; recommended actions include auditing module loads, monitoring ICMP, and rotating credentials.

MITRE Techniques

  • [T1620 ] Reflective Code Loading – Used for fileless execution by creating an anonymous memory file and executing from it (memfd_create + execveat). [‘…Using memfd_create followed by execveat is a well-known combination technique fileless execution…’]

Indicators of Compromise

  • [IP Address ] C2 server – 8.149.128.10 (port 8080)
  • [File Hash ] Loader and implant samples – 70aa5b3516d331e9d1876f3b8994fc8c18e2b1b9f15096e6c790de8cd (Stage 0), 4c4201cc1278da615bacf48deef461bf26c343f8cbb2d8596788b41829a39f3f (Implant), and 6 more hashes
  • [File Name / Endpoint ] C2 and staging paths – /stage1.bin, /implant.bin, POST /compile, POST /api/v2/handshake
  • [Module / Extracted Binary ] Kernel/rootkit artifacts – vl_stealth.ko, ss_loader, hide_ss.bpf.o
  • [File Path ] Drop and staging locations – /tmp/.vl_ss_loader, /tmp/.vl_config, /dev/shm/.vl_*, /tmp/.vl_k[3-6].ko
  • [Process Name ] Masquerade and detection targets – [kworker/0:0], [kworker/0:1], falcon-sensor, SentinelAgent (used for process masquerade and security-product profiling)
  • [Magic Value ] Embedded magic constants used for control – 0x564C (prctl magic for LKM control), 0xC0DE (ICMP echo ID for covert channel), 0xAA (XOR key for C2 config encoding)

Read more: https://www.sysdig.com/blog/voidlink-threat-analysis-sysdig-discovers-c2-compiled-kernel-rootkits