Half 1: How a cloud-native malware framework constructed by AI in beneath every week uncovered the following nice blind spot in enterprise safety
In December 2025, Examine Level Analysis disclosed one thing that ought to have set off alarms in each CISO’s workplace: VoidLink, a classy malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not tailored from Home windows malware. Not a repurposed penetration testing software. A cloud-first, Kubernetes-aware implant designed to detect whether or not it’s working on AWS, GCP, Azure, Alibaba, or Tencent, decide whether or not it’s inside a Docker container or Kubernetes pod, and tailor its conduct accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets and techniques, representing a milestone in adversary sophistication. It evaluates the safety posture of its host—figuring out monitoring instruments, endpoint safety, and hardening measures—and adapts, slowing down in well-defended environments, working freely in poorly monitored ones. It’s, within the phrases of Examine Level’s researchers, “way more superior than typical Linux malware.”
Cisco Talos not too long ago printed an evaluation revealing that a sophisticated risk actor it tracks had been actively leveraging VoidLink in actual campaigns, primarily concentrating on know-how and monetary organizations. Based on Talos, the actor usually positive aspects entry by means of pre-obtained credentials or by exploiting widespread enterprise companies then deploys VoidLink to set up command-and-control infrastructure, cover their presence, and launch inner reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand functionality as laying the inspiration for AI-enabled assault frameworks that dynamically create instruments for operators, calling it a “near-production-ready proof of idea for an enterprise grade implant administration framework.”
VoidLink alerts that adversaries have crossed a threshold—constructing cloud-native, container-aware, AI-accelerated offensive frameworks particularly engineered for the infrastructure that now runs the world’s most precious workloads. And it’s removed from alone.
VoidLink is the sign. The sample is the story.
VoidLink didn’t emerge in isolation. It’s probably the most superior identified instance of a broader shift: adversaries are systematically concentrating on workloads—the containers, pods, AI inference jobs, and microservices working on Kubernetes—as the first assault floor. The previous a number of months have produced a cascade of assaults confirming this trajectory:
- Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t simply steal information, they turned cutting-edge AI methods into weapons. Attackers commandeered large GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that energy distributed AI. LLM-generated payloads and privileged DaemonSets allow them to unfold throughout tons of of 1000’s of servers, remodeling trendy AI platforms into assault infrastructure.
- Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved simply how fragile our cloud “partitions” could be. A easy three-line Dockerfile was sufficient to realize root entry on a bunch, doubtlessly exposing 37% of all cloud environments. It’s a stark reminder that whereas we fear about futuristic AI threats, the quick hazard is commonly conventional infrastructure flaws within the AI stack.
- Exploiting AI Workflows and Fashions: Attackers are concentrating on each workflow platforms and AI provide chains. LangFlow RCE allowed distant code execution and account takeover throughout related methods, successfully a “grasp key” into AI workflows. Malicious Keras fashions on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned fashions have been recognized, displaying that even trusted AI belongings could be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the dialog. DEF CON’s devoted Kubernetes protection observe mirrored the group’s recognition that workload and AI infrastructure safety is now the frontline for enterprise protection.
How we obtained right here: EDR → cloud → id → workloads
The cybersecurity trade has seen this earlier than—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility however assumed the factor price defending had a tough drive and an proprietor. The cloud shift broke these assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The id pivot adopted as attackers realized stealing a credential was extra environment friendly than writing an exploit.
Now the perimeter has shifted once more. Kubernetes has gained because the working layer for contemporary infrastructure—from microservices to GPU-accelerated AI coaching and inference. AI workloads are uniquely useful targets: proprietary fashions, coaching datasets, API keys, expensive GPU compute, and infrequently the core aggressive asset of the group. New clusters face their first assault probe inside 18 minutes. Based on RedHat, almost ninety p.c of organizations skilled a minimum of one Kubernetes safety incident up to now 12 months. Container-based lateral motion rose 34% in 2025.
The workloads are the place the worth is. The adversaries have seen.
Runtime safety: The lesson VoidLink teaches
VoidLink exposes a vital hole in how most organizations method safety. It targets the ‘consumer area’ the place conventional safety brokers reside. By the point your EDR or CSPM seems for a signature, the malware has already encrypted itself and vanished. It isn’t simply evading your instruments, it’s working in a layer they can not see.
That is the place runtime safety working on the kernel degree turns into important—and a strong new Linux kernel know-how referred to as eBPF represents a basic shift in defensive functionality.
Isovalent (now a part of Cisco), co-creator and open supply chief of eBPF, constructed the Hypershield agent on this basis. Hypershield is an eBPF-based safety observability and enforcement layer constructed for Kubernetes. Relatively than counting on user-space brokers, it deploys eBPF packages throughout the kernel to observe and implement coverage on course of executions, syscalls, file entry, and community exercise in actual time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the precise workloads that spawned them.
Isovalent’s technical evaluation demonstrates how Hypershield investigates and mitigates VoidLink’s conduct at every stage of the kill chain. As a result of it operates by means of eBPF hooks throughout the kernel, it observes VoidLink’s conduct regardless of how cleverly the malware evades user-space instruments. VoidLink’s whole evasion mannequin is designed to defeat brokers working above the kernel. Hypershield sidesteps it solely.
This precept is the brand new customary for the trendy risk panorama: assaults like ShadowRay 2.0 or NVIDIAScape succeed as a result of conventional defenses can’t see what workloads are doing in actual time. Runtime visibility and mitigation management on the kernel degree closes that vital window between exploitation and detection that attackers depend on.
The blind spot most CISOs can’t afford
Assaults like VoidLink, ShadowRay, and NVIDIAScape make one fact unavoidable: most organizations are successfully blind to Kubernetes, the place AI fashions run and significant workloads reside.
Years of funding in endpoints, id, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, quite than “an infrastructure element the platform staff handles,” provides safety groups the chance to safeguard the crown jewels.
Kubernetes is the place AI lives: fashions are skilled, inference is served, and brokers should function constantly, now not tied to the lifecycle of laptops. The CISO’s position can also be evolving, too, shifting from simply securing the perimeter, however the connective tissue between high-velocity DevOps groups constructing the long run and the stakeholders who want assurance that the long run is protected.
Kernel-level runtime safety offers the real-time “supply of fact.” Malware can evade user-space instruments, however it can not cover from the system itself. Platforms like Hypershield give CISOs the identical ground-truth visibility within the kernel they’ve had on endpoints for many years—so groups can see and reply in actual time, with zero overhead.
The path ahead
The path ahead just isn’t sophisticated, however it requires deliberate prioritization:
- Deal with Kubernetes and AI workloads as first-class safety belongings.
- Deploy runtime safety that gives kernel-level, real-time visibility.
- Combine workload monitoring into SOC workflows to detect and reply confidently.
Cisco has led innovation in workload safety, leveraging Hypershield along with Splunk for monitoring and runtime safety for vital workloads.
The battlefield has shifted. Adversaries have invested in constructing cloud-native, container-aware, AI-accelerated offensive capabilities particularly engineered for the infrastructure that now runs the world’s most precious workloads. The query for each group is whether or not their defenses have stored tempo.
The proof from the previous twelve months suggests most haven’t. The proof from the following twelve will replicate the selections made at this time.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
