Half 1: How a cloud-native malware framework constructed by AI in underneath every week uncovered the subsequent nice blind spot in enterprise safety
In December 2025, Verify Level Analysis disclosed one thing that ought to have set off alarms in each CISO’s workplace: VoidLink, a complicated malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not tailored from Home windows malware. Not a repurposed penetration testing software. A cloud-first, Kubernetes-aware implant designed to detect whether or not it’s working on AWS, GCP, Azure, Alibaba, or Tencent, decide whether or not it’s inside a Docker container or Kubernetes pod, and tailor its conduct accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets and techniques, representing a milestone in adversary sophistication. It evaluates the safety posture of its host—figuring out monitoring instruments, endpoint safety, and hardening measures—and adapts, slowing down in well-defended environments, working freely in poorly monitored ones. It’s, within the phrases of Verify Level’s researchers, “way more superior than typical Linux malware.”
Cisco Talos lately printed an evaluation revealing that a complicated menace actor it tracks had been actively leveraging VoidLink in actual campaigns, primarily concentrating on know-how and monetary organizations. Based on Talos, the actor sometimes beneficial properties entry via pre-obtained credentials or by exploiting widespread enterprise companies then deploys VoidLink to set up command-and-control infrastructure, cover their presence, and launch inner reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand functionality as laying the muse for AI-enabled assault frameworks that dynamically create instruments for operators, calling it a “near-production-ready proof of idea for an enterprise grade implant administration framework.”
VoidLink indicators that adversaries have crossed a threshold—constructing cloud-native, container-aware, AI-accelerated offensive frameworks particularly engineered for the infrastructure that now runs the world’s most precious workloads. And it’s removed from alone.
VoidLink is the sign. The sample is the story.
VoidLink didn’t emerge in isolation. It’s essentially the most superior recognized instance of a broader shift: adversaries are systematically concentrating on workloads—the containers, pods, AI inference jobs, and microservices working on Kubernetes—as the first assault floor. The previous a number of months have produced a cascade of assaults confirming this trajectory:
- Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t simply steal information, they turned cutting-edge AI techniques into weapons. Attackers commandeered large GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that energy distributed AI. LLM-generated payloads and privileged DaemonSets allow them to unfold throughout a whole bunch of 1000’s of servers, remodeling trendy AI platforms into assault infrastructure.
- Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved simply how fragile our cloud “partitions” could be. A easy three-line Dockerfile was sufficient to realize root entry on a bunch, probably exposing 37% of all cloud environments. It’s a stark reminder that whereas we fear about futuristic AI threats, the rapid hazard is usually conventional infrastructure flaws within the AI stack.
- Exploiting AI Workflows and Fashions: Attackers are concentrating on each workflow platforms and AI provide chains. LangFlow RCE allowed distant code execution and account takeover throughout related techniques, successfully a “grasp key” into AI workflows. Malicious Keras fashions on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned fashions have been recognized, exhibiting that even trusted AI belongings could be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the dialog. DEF CON’s devoted Kubernetes protection observe mirrored the group’s recognition that workload and AI infrastructure safety is now the frontline for enterprise protection.
How we obtained right here: EDR → cloud → identification → workloads
The cybersecurity business has seen this earlier than—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility however assumed the factor value defending had a tough drive and an proprietor. The cloud shift broke these assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The identification pivot adopted as attackers realized stealing a credential was extra environment friendly than writing an exploit.
Now the perimeter has shifted once more. Kubernetes has received because the working layer for contemporary infrastructure—from microservices to GPU-accelerated AI coaching and inference. AI workloads are uniquely helpful targets: proprietary fashions, coaching datasets, API keys, expensive GPU compute, and sometimes the core aggressive asset of the group. New clusters face their first assault probe inside 18 minutes. Based on RedHat, almost ninety p.c of organizations skilled a minimum of one Kubernetes safety incident prior to now 12 months. Container-based lateral motion rose 34% in 2025.
The workloads are the place the worth is. The adversaries have seen.
Runtime safety: The lesson VoidLink teaches
VoidLink exposes a important hole in how most organizations method safety. It targets the ‘consumer area’ the place conventional safety brokers dwell. By the point your EDR or CSPM appears to be like for a signature, the malware has already encrypted itself and vanished. It isn’t simply evading your instruments, it’s working in a layer they can’t see.
That is the place runtime safety working on the kernel stage turns into important—and a strong new Linux kernel know-how known as eBPF represents a elementary shift in defensive functionality.
Isovalent (now a part of Cisco), co-creator and open supply chief of eBPF, constructed the Hypershield agent on this basis. Hypershield is an eBPF-based safety observability and enforcement layer constructed for Kubernetes. Slightly than counting on user-space brokers, it deploys eBPF applications inside the kernel to observe and implement coverage on course of executions, syscalls, file entry, and community exercise in actual time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the precise workloads that spawned them.
Isovalent’s technical evaluation demonstrates how Hypershield investigates and mitigates VoidLink’s conduct at every stage of the kill chain. As a result of it operates via eBPF hooks inside the kernel, it observes VoidLink’s conduct regardless of how cleverly the malware evades user-space instruments. VoidLink’s whole evasion mannequin is designed to defeat brokers working above the kernel. Hypershield sidesteps it solely.
This precept is the brand new normal for the trendy menace panorama: assaults like ShadowRay 2.0 or NVIDIAScape succeed as a result of conventional defenses can’t see what workloads are doing in actual time. Runtime visibility and mitigation management on the kernel stage closes that important window between exploitation and detection that attackers depend on.
The blind spot most CISOs can’t afford
Assaults like VoidLink, ShadowRay, and NVIDIAScape make one reality unavoidable: most organizations are successfully blind to Kubernetes, the place AI fashions run and important workloads dwell.
Years of funding in endpoints, identification, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, fairly than “an infrastructure element the platform workforce handles,” offers safety groups the chance to safeguard the crown jewels.
Kubernetes is the place AI lives: fashions are educated, inference is served, and brokers should function constantly, now not tied to the lifecycle of laptops. The CISO’s function can also be evolving, too, shifting from simply securing the perimeter, however the connective tissue between high-velocity DevOps groups constructing the longer term and the stakeholders who want assurance that the longer term is protected.
Kernel-level runtime safety supplies the real-time “supply of reality.” Malware can evade user-space instruments, nevertheless it can’t cover from the system itself. Platforms like Hypershield give CISOs the identical ground-truth visibility within the kernel they’ve had on endpoints for many years—so groups can see and reply in actual time, with zero overhead.
The path ahead
The path ahead will not be difficult, nevertheless it requires deliberate prioritization:
- Deal with Kubernetes and AI workloads as first-class safety belongings.
- Deploy runtime safety that gives kernel-level, real-time visibility.
- Combine workload monitoring into SOC workflows to detect and reply confidently.
Cisco has led innovation in workload safety, leveraging Hypershield along with Splunk for monitoring and runtime safety for important workloads.
The battlefield has shifted. Adversaries have invested in constructing cloud-native, container-aware, AI-accelerated offensive capabilities particularly engineered for the infrastructure that now runs the world’s most precious workloads. The query for each group is whether or not their defenses have saved tempo.
The proof from the previous twelve months suggests most haven’t. The proof from the subsequent twelve will replicate the selections made at the moment.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
