Half 1: How a cloud-native malware framework constructed by AI in below per week uncovered the following nice blind spot in enterprise safety
In December 2025, Examine Level Analysis disclosed one thing that ought to have set off alarms in each CISO’s workplace: VoidLink, a classy malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not tailored from Home windows malware. Not a repurposed penetration testing device. A cloud-first, Kubernetes-aware implant designed to detect whether or not it’s operating on AWS, GCP, Azure, Alibaba, or Tencent, decide whether or not it’s inside a Docker container or Kubernetes pod, and tailor its habits accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets and techniques, representing a milestone in adversary sophistication. It evaluates the safety posture of its host—figuring out monitoring instruments, endpoint safety, and hardening measures—and adapts, slowing down in well-defended environments, working freely in poorly monitored ones. It’s, within the phrases of Examine Level’s researchers, “way more superior than typical Linux malware.”
Cisco Talos lately revealed an evaluation revealing that a complicated menace actor it tracks had been actively leveraging VoidLink in actual campaigns, primarily focusing on know-how and monetary organizations. In keeping with Talos, the actor sometimes beneficial properties entry by pre-obtained credentials or by exploiting frequent enterprise companies then deploys VoidLink to set up command-and-control infrastructure, disguise their presence, and launch inner reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand functionality as laying the muse for AI-enabled assault frameworks that dynamically create instruments for operators, calling it a “near-production-ready proof of idea for an enterprise grade implant administration framework.”
VoidLink indicators that adversaries have crossed a threshold—constructing cloud-native, container-aware, AI-accelerated offensive frameworks particularly engineered for the infrastructure that now runs the world’s most useful workloads. And it’s removed from alone.
VoidLink is the sign. The sample is the story.
VoidLink didn’t emerge in isolation. It’s probably the most superior recognized instance of a broader shift: adversaries are systematically focusing on workloads—the containers, pods, AI inference jobs, and microservices operating on Kubernetes—as the first assault floor. The previous a number of months have produced a cascade of assaults confirming this trajectory:
- Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t simply steal information, they turned cutting-edge AI techniques into weapons. Attackers commandeered large GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that energy distributed AI. LLM-generated payloads and privileged DaemonSets allow them to unfold throughout lots of of 1000’s of servers, reworking fashionable AI platforms into assault infrastructure.
- Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved simply how fragile our cloud “partitions” might be. A easy three-line Dockerfile was sufficient to realize root entry on a number, doubtlessly exposing 37% of all cloud environments. It’s a stark reminder that whereas we fear about futuristic AI threats, the rapid hazard is usually conventional infrastructure flaws within the AI stack.
- Exploiting AI Workflows and Fashions: Attackers are focusing on each workflow platforms and AI provide chains. LangFlow RCE allowed distant code execution and account takeover throughout related techniques, successfully a “grasp key” into AI workflows. Malicious Keras fashions on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned fashions have been recognized, displaying that even trusted AI property might be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the dialog. DEF CON’s devoted Kubernetes protection monitor mirrored the neighborhood’s recognition that workload and AI infrastructure safety is now the frontline for enterprise protection.
How we obtained right here: EDR → cloud → identification → workloads
The cybersecurity business has seen this earlier than—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility however assumed the factor value defending had a tough drive and an proprietor. The cloud shift broke these assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The identification pivot adopted as attackers realized stealing a credential was extra environment friendly than writing an exploit.
Now the perimeter has shifted once more. Kubernetes has gained because the working layer for contemporary infrastructure—from microservices to GPU-accelerated AI coaching and inference. AI workloads are uniquely useful targets: proprietary fashions, coaching datasets, API keys, expensive GPU compute, and infrequently the core aggressive asset of the group. New clusters face their first assault probe inside 18 minutes. In keeping with RedHat, practically ninety p.c of organizations skilled not less than one Kubernetes safety incident previously yr. Container-based lateral motion rose 34% in 2025.
The workloads are the place the worth is. The adversaries have seen.
Runtime safety: The lesson VoidLink teaches
VoidLink exposes a important hole in how most organizations strategy safety. It targets the ‘person house’ the place conventional safety brokers reside. By the point your EDR or CSPM appears to be like for a signature, the malware has already encrypted itself and vanished. It isn’t simply evading your instruments, it’s working in a layer they can’t see.
That is the place runtime safety working on the kernel stage turns into important—and a strong new Linux kernel know-how referred to as eBPF represents a basic shift in defensive functionality.
Isovalent (now a part of Cisco), co-creator and open supply chief of eBPF, constructed the Hypershield agent on this basis. Hypershield is an eBPF-based safety observability and enforcement layer constructed for Kubernetes. Slightly than counting on user-space brokers, it deploys eBPF packages inside the kernel to observe and implement coverage on course of executions, syscalls, file entry, and community exercise in actual time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the precise workloads that spawned them.
Isovalent’s technical evaluation demonstrates how Hypershield investigates and mitigates VoidLink’s habits at every stage of the kill chain. As a result of it operates by eBPF hooks inside the kernel, it observes VoidLink’s habits regardless of how cleverly the malware evades user-space instruments. VoidLink’s complete evasion mannequin is designed to defeat brokers working above the kernel. Hypershield sidesteps it completely.
This precept is the brand new commonplace for the fashionable menace panorama: assaults like ShadowRay 2.0 or NVIDIAScape succeed as a result of conventional defenses can’t see what workloads are doing in actual time. Runtime visibility and mitigation management on the kernel stage closes that important window between exploitation and detection that attackers depend on.
The blind spot most CISOs can’t afford
Assaults like VoidLink, ShadowRay, and NVIDIAScape make one fact unavoidable: most organizations are successfully blind to Kubernetes, the place AI fashions run and demanding workloads reside.
Years of funding in endpoints, identification, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, moderately than “an infrastructure element the platform workforce handles,” offers safety groups the chance to safeguard the crown jewels.
Kubernetes is the place AI lives: fashions are educated, inference is served, and brokers should function constantly, not tied to the lifecycle of laptops. The CISO’s position can be evolving, too, shifting from simply securing the perimeter, however the connective tissue between high-velocity DevOps groups constructing the longer term and the stakeholders who want assurance that the longer term is protected.
Kernel-level runtime safety offers the real-time “supply of fact.” Malware can evade user-space instruments, nevertheless it can’t disguise from the system itself. Platforms like Hypershield give CISOs the identical ground-truth visibility within the kernel they’ve had on endpoints for many years—so groups can see and reply in actual time, with zero overhead.
The path ahead
The path ahead just isn’t difficult, nevertheless it requires deliberate prioritization:
- Deal with Kubernetes and AI workloads as first-class safety property.
- Deploy runtime safety that gives kernel-level, real-time visibility.
- Combine workload monitoring into SOC workflows to detect and reply confidently.
Cisco has led innovation in workload safety, leveraging Hypershield along with Splunk for monitoring and runtime safety for important workloads.
The battlefield has shifted. Adversaries have invested in constructing cloud-native, container-aware, AI-accelerated offensive capabilities particularly engineered for the infrastructure that now runs the world’s most useful workloads. The query for each group is whether or not their defenses have saved tempo.
The proof from the previous twelve months suggests most haven’t. The proof from the following twelve will mirror the choices made as we speak.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
