Half 1: How a cloud-native malware framework constructed by AI in underneath per week uncovered the following nice blind spot in enterprise safety
In December 2025, Test Level Analysis disclosed one thing that ought to have set off alarms in each CISO’s workplace: VoidLink, a classy malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not tailored from Home windows malware. Not a repurposed penetration testing software. A cloud-first, Kubernetes-aware implant designed to detect whether or not it’s working on AWS, GCP, Azure, Alibaba, or Tencent, decide whether or not it’s inside a Docker container or Kubernetes pod, and tailor its conduct accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets and techniques, representing a milestone in adversary sophistication. It evaluates the safety posture of its host—figuring out monitoring instruments, endpoint safety, and hardening measures—and adapts, slowing down in well-defended environments, working freely in poorly monitored ones. It’s, within the phrases of Test Level’s researchers, “way more superior than typical Linux malware.”
Cisco Talos not too long ago revealed an evaluation revealing that a complicated risk actor it tracks had been actively leveraging VoidLink in actual campaigns, primarily focusing on know-how and monetary organizations. In response to Talos, the actor usually positive aspects entry by way of pre-obtained credentials or by exploiting frequent enterprise providers then deploys VoidLink to set up command-and-control infrastructure, disguise their presence, and launch inner reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand functionality as laying the inspiration for AI-enabled assault frameworks that dynamically create instruments for operators, calling it a “near-production-ready proof of idea for an enterprise grade implant administration framework.”
VoidLink alerts that adversaries have crossed a threshold—constructing cloud-native, container-aware, AI-accelerated offensive frameworks particularly engineered for the infrastructure that now runs the world’s most precious workloads. And it’s removed from alone.
VoidLink is the sign. The sample is the story.
VoidLink didn’t emerge in isolation. It’s probably the most superior identified instance of a broader shift: adversaries are systematically focusing on workloads—the containers, pods, AI inference jobs, and microservices working on Kubernetes—as the first assault floor. The previous a number of months have produced a cascade of assaults confirming this trajectory:
- Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t simply steal knowledge, they turned cutting-edge AI techniques into weapons. Attackers commandeered huge GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that energy distributed AI. LLM-generated payloads and privileged DaemonSets allow them to unfold throughout a whole bunch of 1000’s of servers, remodeling fashionable AI platforms into assault infrastructure.
- Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved simply how fragile our cloud “partitions” may be. A easy three-line Dockerfile was sufficient to realize root entry on a bunch, doubtlessly exposing 37% of all cloud environments. It’s a stark reminder that whereas we fear about futuristic AI threats, the instant hazard is usually conventional infrastructure flaws within the AI stack.
- Exploiting AI Workflows and Fashions: Attackers are focusing on each workflow platforms and AI provide chains. LangFlow RCE allowed distant code execution and account takeover throughout related techniques, successfully a “grasp key” into AI workflows. Malicious Keras fashions on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned fashions have been recognized, displaying that even trusted AI belongings may be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the dialog. DEF CON’s devoted Kubernetes protection monitor mirrored the group’s recognition that workload and AI infrastructure safety is now the frontline for enterprise protection.
How we obtained right here: EDR → cloud → identification → workloads
The cybersecurity business has seen this earlier than—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility however assumed the factor price defending had a tough drive and an proprietor. The cloud shift broke these assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The identification pivot adopted as attackers realized stealing a credential was extra environment friendly than writing an exploit.
Now the perimeter has shifted once more. Kubernetes has received because the working layer for contemporary infrastructure—from microservices to GPU-accelerated AI coaching and inference. AI workloads are uniquely helpful targets: proprietary fashions, coaching datasets, API keys, pricey GPU compute, and infrequently the core aggressive asset of the group. New clusters face their first assault probe inside 18 minutes. In response to RedHat, almost ninety % of organizations skilled a minimum of one Kubernetes safety incident previously 12 months. Container-based lateral motion rose 34% in 2025.
The workloads are the place the worth is. The adversaries have observed.
Runtime safety: The lesson VoidLink teaches
VoidLink exposes a vital hole in how most organizations method safety. It targets the ‘person area’ the place conventional safety brokers dwell. By the point your EDR or CSPM seems to be for a signature, the malware has already encrypted itself and vanished. It isn’t simply evading your instruments, it’s working in a layer they can’t see.
That is the place runtime safety working on the kernel stage turns into important—and a strong new Linux kernel know-how known as eBPF represents a elementary shift in defensive functionality.
Isovalent (now a part of Cisco), co-creator and open supply chief of eBPF, constructed the Hypershield agent on this basis. Hypershield is an eBPF-based safety observability and enforcement layer constructed for Kubernetes. Fairly than counting on user-space brokers, it deploys eBPF packages inside the kernel to observe and implement coverage on course of executions, syscalls, file entry, and community exercise in actual time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the precise workloads that spawned them.
Isovalent’s technical evaluation demonstrates how Hypershield investigates and mitigates VoidLink’s conduct at every stage of the kill chain. As a result of it operates by way of eBPF hooks inside the kernel, it observes VoidLink’s conduct regardless of how cleverly the malware evades user-space instruments. VoidLink’s complete evasion mannequin is designed to defeat brokers working above the kernel. Hypershield sidesteps it totally.
This precept is the brand new commonplace for the fashionable risk panorama: assaults like ShadowRay 2.0 or NVIDIAScape succeed as a result of conventional defenses can’t see what workloads are doing in actual time. Runtime visibility and mitigation management on the kernel stage closes that vital window between exploitation and detection that attackers depend on.
The blind spot most CISOs can’t afford
Assaults like VoidLink, ShadowRay, and NVIDIAScape make one fact unavoidable: most organizations are successfully blind to Kubernetes, the place AI fashions run and significant workloads dwell.
Years of funding in endpoints, identification, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, fairly than “an infrastructure element the platform staff handles,” provides safety groups the chance to safeguard the crown jewels.
Kubernetes is the place AI lives: fashions are skilled, inference is served, and brokers should function constantly, not tied to the lifecycle of laptops. The CISO’s function can be evolving, too, shifting from simply securing the perimeter, however the connective tissue between high-velocity DevOps groups constructing the longer term and the stakeholders who want assurance that the longer term is protected.
Kernel-level runtime safety supplies the real-time “supply of fact.” Malware can evade user-space instruments, however it can’t disguise from the system itself. Platforms like Hypershield give CISOs the identical ground-truth visibility within the kernel they’ve had on endpoints for many years—so groups can see and reply in actual time, with zero overhead.
The path ahead
The path ahead is just not sophisticated, however it requires deliberate prioritization:
- Deal with Kubernetes and AI workloads as first-class safety belongings.
- Deploy runtime safety that gives kernel-level, real-time visibility.
- Combine workload monitoring into SOC workflows to detect and reply confidently.
Cisco has led innovation in workload safety, leveraging Hypershield along with Splunk for monitoring and runtime safety for vital workloads.
The battlefield has shifted. Adversaries have invested in constructing cloud-native, container-aware, AI-accelerated offensive capabilities particularly engineered for the infrastructure that now runs the world’s most precious workloads. The query for each group is whether or not their defenses have saved tempo.
The proof from the previous twelve months suggests most haven’t. The proof from the following twelve will mirror the choices made at the moment.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media