VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits

This report analyzes VoidLink, a sophisticated Chinese‑developed Linux malware framework targeting cloud and container environments that uses a three‑stage, largely fileless loader, adaptive profiling to evade EDR/CDR, and a novel serverside rootkit compilation (SRC) capability to produce kernel modules tailored to each victim kernel. VoidLink provides kernel‑level stealth via eBPF and LKM techniques, multiple control channels including an ICMP covert channel and a prctl magic interface, embeds cloud/container escape and Kubernetes privilege escalation plugins, and includes detailed IOCs (hashes, C2 IP/endpoints, file and process artifacts) and recommended runtime detection and mitigation controls.