Half 1: How a cloud-native malware framework constructed by AI in underneath per week uncovered the following nice blind spot in enterprise safety
In December 2025, Test Level Analysis disclosed one thing that ought to have set off alarms in each CISO’s workplace: VoidLink, a classy malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not tailored from Home windows malware. Not a repurposed penetration testing device. A cloud-first, Kubernetes-aware implant designed to detect whether or not it’s working on AWS, GCP, Azure, Alibaba, or Tencent, decide whether or not it’s inside a Docker container or Kubernetes pod, and tailor its habits accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets and techniques, representing a milestone in adversary sophistication. It evaluates the safety posture of its host—figuring out monitoring instruments, endpoint safety, and hardening measures—and adapts, slowing down in well-defended environments, working freely in poorly monitored ones. It’s, within the phrases of Test Level’s researchers, “way more superior than typical Linux malware.”
Cisco Talos lately revealed an evaluation revealing that a complicated risk actor it tracks had been actively leveraging VoidLink in actual campaigns, primarily concentrating on expertise and monetary organizations. In accordance with Talos, the actor sometimes beneficial properties entry by means of pre-obtained credentials or by exploiting widespread enterprise providers then deploys VoidLink to set up command-and-control infrastructure, disguise their presence, and launch inside reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand functionality as laying the muse for AI-enabled assault frameworks that dynamically create instruments for operators, calling it a “near-production-ready proof of idea for an enterprise grade implant administration framework.”
VoidLink alerts that adversaries have crossed a threshold—constructing cloud-native, container-aware, AI-accelerated offensive frameworks particularly engineered for the infrastructure that now runs the world’s Most worthy workloads. And it’s removed from alone.
VoidLink is the sign. The sample is the story.
VoidLink didn’t emerge in isolation. It’s essentially the most superior identified instance of a broader shift: adversaries are systematically concentrating on workloads—the containers, pods, AI inference jobs, and microservices working on Kubernetes—as the first assault floor. The previous a number of months have produced a cascade of assaults confirming this trajectory:
Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t simply steal knowledge, they turned cutting-edge AI techniques into weapons. Attackers commandeered large GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that energy distributed AI. LLM-generated payloads and privileged DaemonSets allow them to unfold throughout lots of of hundreds of servers, reworking fashionable AI platforms into assault infrastructure.
Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved simply how fragile our cloud “partitions” may be. A easy three-line Dockerfile was sufficient to realize root entry on a bunch, doubtlessly exposing 37% of all cloud environments. It’s a stark reminder that whereas we fear about futuristic AI threats, the rapid hazard is commonly conventional infrastructure flaws within the AI stack.
Exploiting AI Workflows and Fashions: Attackers are concentrating on each workflow platforms and AI provide chains. LangFlow RCE allowed distant code execution and account takeover throughout related techniques, successfully a “grasp key” into AI workflows. Malicious Keras fashions on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned fashions have been recognized, displaying that even trusted AI property may be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the dialog. DEF CON’s devoted Kubernetes protection observe mirrored the group’s recognition that workload and AI infrastructure safety is now the frontline for enterprise protection.
How we obtained right here: EDR → cloud → id → workloads
The cybersecurity business has seen this earlier than—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility however assumed the factor price defending had a tough drive and an proprietor. The cloud shift broke these assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The id pivot adopted as attackers realized stealing a credential was extra environment friendly than writing an exploit.
Now the perimeter has shifted once more. Kubernetes has received because the working layer for contemporary infrastructure—from microservices to GPU-accelerated AI coaching and inference. AI workloads are uniquely precious targets: proprietary fashions, coaching datasets, API keys, pricey GPU compute, and infrequently the core aggressive asset of the group. New clusters face their first assault probe inside 18 minutes. In accordance with RedHat, practically ninety % of organizations skilled at the least one Kubernetes safety incident prior to now 12 months. Container-based lateral motion rose 34% in 2025.
The workloads are the place the worth is. The adversaries have seen.
Runtime safety: The lesson VoidLink teaches
VoidLink exposes a important hole in how most organizations strategy safety. It targets the ‘consumer house’ the place conventional safety brokers reside. By the point your EDR or CSPM appears to be like for a signature, the malware has already encrypted itself and vanished. It isn’t simply evading your instruments, it’s working in a layer they can not see.
That is the place runtime safety working on the kernel degree turns into important—and a strong new Linux kernel expertise referred to as eBPF represents a basic shift in defensive functionality.
Isovalent (now a part of Cisco), co-creator and open supply chief of eBPF, constructed the Hypershield agent on this basis. Hypershield is an eBPF-based safety observability and enforcement layer constructed for Kubernetes. Slightly than counting on user-space brokers, it deploys eBPF applications inside the kernel to observe and implement coverage on course of executions, syscalls, file entry, and community exercise in actual time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the precise workloads that spawned them.
Isovalent’s technical evaluation demonstrates how Hypershield investigates and mitigates VoidLink’s habits at every stage of the kill chain. As a result of it operates by means of eBPF hooks inside the kernel, it observes VoidLink’s habits regardless of how cleverly the malware evades user-space instruments. VoidLink’s complete evasion mannequin is designed to defeat brokers working above the kernel. Hypershield sidesteps it completely.
This precept is the brand new normal for the trendy risk panorama: assaults like ShadowRay 2.0 or NVIDIAScape succeed as a result of conventional defenses can’t see what workloads are doing in actual time. Runtime visibility and mitigation management on the kernel degree closes that important window between exploitation and detection that attackers depend on.
The blind spot most CISOs can’t afford
Assaults like VoidLink, ShadowRay, and NVIDIAScape make one fact unavoidable: most organizations are successfully blind to Kubernetes, the place AI fashions run and demanding workloads reside.
Years of funding in endpoints, id, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, moderately than “an infrastructure element the platform staff handles,” offers safety groups the chance to safeguard the crown jewels.
Kubernetes is the place AI lives: fashions are skilled, inference is served, and brokers should function constantly, not tied to the lifecycle of laptops. The CISO’s position can be evolving, too, shifting from simply securing the perimeter, however the connective tissue between high-velocity DevOps groups constructing the longer term and the stakeholders who want assurance that the longer term is protected.
Kernel-level runtime safety offers the real-time “supply of fact.” Malware can evade user-space instruments, however it can’t disguise from the system itself. Platforms like Hypershield give CISOs the identical ground-truth visibility within the kernel they’ve had on endpoints for many years—so groups can see and reply in actual time, with zero overhead.
The path ahead
The path ahead will not be sophisticated, however it requires deliberate prioritization:
Deal with Kubernetes and AI workloads as first-class safety property.
Deploy runtime safety that gives kernel-level, real-time visibility.
Combine workload monitoring into SOC workflows to detect and reply confidently.
Cisco has led innovation in workload safety, leveraging Hypershield along with Splunk for monitoring and runtime safety for important workloads.
The battlefield has shifted. Adversaries have invested in constructing cloud-native, container-aware, AI-accelerated offensive capabilities particularly engineered for the infrastructure that now runs the world’s Most worthy workloads. The query for each group is whether or not their defenses have saved tempo.
The proof from the previous twelve months suggests most haven’t. The proof from the following twelve will mirror the choices made right now.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
LinkedInFacebookInstagram
