THREATNOIR
Subscribe
Back to Feed
MalwareApr 9, 2026

The hybrid design is what makes this stand out. Most Linux rootkits pick one hiding mechanism. V...

VoidLink Linux rootkit employs hybrid LKM and eBPF design for evasion.

Read at source

Summary

VoidLink is a sophisticated Linux rootkit that combines a Loadable Kernel Module (LKM) for syscall hooking and process hiding with a companion eBPF program for enhanced evasion capabilities. The dual-mechanism design allows it to maintain persistence while evading detection through multiple concealment layers, including a covert ICMP command channel for command and control.

Indicators of Compromise

  • malware — VoidLink

Entities

Linux Loadable Kernel Module (LKM) (technology)eBPF (extended Berkeley Packet Filter) (technology)