Part 1: How a cloud-native malware framework built by AI in under a week exposed the next great blind spot in enterprise security
In December 2025, Check Point Research disclosed something that should have set off alarms in every CISO’s office: VoidLink, a sophisticated malware framework, purpose-built for long-term, stealthy persistence inside Linux-based cloud and container environments. Not adapted from Windows malware. Not a repurposed penetration testing tool. A cloud-first, Kubernetes-aware implant designed to detect whether it’s running on AWS, GCP, Azure, Alibaba, or Tencent, determine whether it’s inside a Docker container or Kubernetes pod, and tailor its behavior accordingly.
VoidLink is designed for fileless, invisible persistence. It harvests cloud metadata, API credentials, Git tokens, and secrets, representing a milestone in adversary sophistication. It evaluates the security posture of its host—identifying monitoring tools, endpoint protection, and hardening measures—and adapts, slowing down in well-defended environments, operating freely in poorly monitored ones. It is, in the words of Check Point’s researchers, “far more advanced than typical Linux malware.”
Cisco Talos recently published an analysis revealing that an advanced threat actor it tracks had been actively leveraging VoidLink in real campaigns, primarily targeting technology and financial organizations. According to Talos, the actor typically gains access through pre-obtained credentials or by exploiting common enterprise services then deploys VoidLink to establish command-and-control infrastructure, hide their presence, and launch internal reconnaissance.
Notably, Talos highlighted VoidLink’s compile-on-demand capability as laying the foundation for AI-enabled attack frameworks that dynamically create tools for operators, calling it a “near-production-ready proof of concept for an enterprise grade implant management framework.”
VoidLink signals that adversaries have crossed a threshold—building cloud-native, container-aware, AI-accelerated offensive frameworks specifically engineered for the infrastructure that now runs the world’s most valuable workloads. And it’s far from alone.
VoidLink is the signal. The pattern is the story.
VoidLink didn’t emerge in isolation. It’s the most advanced known example of a broader shift: adversaries are systematically targeting workloads—the containers, pods, AI inference jobs, and microservices running on Kubernetes—as the primary attack surface. The past several months have produced a cascade of attacks confirming this trajectory:
- Weaponizing AI Infrastructure: ShadowRay 2.0 and the TeamPCP Worm didn’t just steal data, they turned cutting-edge AI systems into weapons. Attackers commandeered massive GPU clusters and Kubernetes environments into self-replicating botnets, exploiting the very frameworks that power distributed AI. LLM-generated payloads and privileged DaemonSets let them spread across hundreds of thousands of servers, transforming modern AI platforms into attack infrastructure.
- Collapsing Container Boundaries: Vulnerabilities like NVIDIAScape proved just how fragile our cloud “walls” can be. A simple three-line Dockerfile was enough to achieve root access on a host, potentially exposing 37% of all cloud environments. It’s a stark reminder that while we worry about futuristic AI threats, the immediate danger is often traditional infrastructure flaws in the AI stack.
- Exploiting AI Workflows and Models: Attackers are targeting both workflow platforms and AI supply chains. LangFlow RCE allowed remote code execution and account takeover across connected systems, effectively a “master key” into AI workflows. Malicious Keras models on repositories like Hugging Face can execute arbitrary code when loaded, creating hidden backdoors in AI environments. About 100 poisoned models have been identified, showing that even trusted AI assets can be weaponized.
At DEF CON 33 and Black Hat 2025, this shift dominated the conversation. DEF CON’s dedicated Kubernetes defense track reflected the community’s recognition that workload and AI infrastructure security is now the frontline for enterprise defense.
How we got here: EDR → cloud → identity → workloads
The cybersecurity industry has seen this before—the perimeter shifts, and defenders scramble to catch up. EDR gave us endpoint visibility but assumed the thing worth protecting had a hard drive and an owner. The cloud shift broke those assumptions with ephemeral infrastructure and a blast radius measured in misconfigured IAM roles. The identity pivot followed as attackers realized stealing a credential was more efficient than writing an exploit.
Now the perimeter has shifted again. Kubernetes has won as the operating layer for modern infrastructure—from microservices to GPU-accelerated AI training and inference. AI workloads are uniquely valuable targets: proprietary models, training datasets, API keys, costly GPU compute, and often the core competitive asset of the organization. New clusters face their first attack probe within 18 minutes. According to RedHat, nearly ninety percent of organizations experienced at least one Kubernetes security incident in the past year. Container-based lateral movement rose 34% in 2025.
The workloads are where the value is. The adversaries have noticed.
Runtime protection: The lesson VoidLink teaches
VoidLink exposes a critical gap in how most organizations approach security. It targets the ‘user space’ where traditional security agents live. By the time your EDR or CSPM looks for a signature, the malware has already encrypted itself and vanished. It isn’t just evading your tools, it is operating in a layer they cannot see.
This is where runtime security operating at the kernel level becomes essential—and a powerful new Linux kernel technology called eBPF represents a fundamental shift in defensive capability.
Isovalent (now part of Cisco), co-creator and open source leader of eBPF, built the Hypershield agent on this foundation. Hypershield is an eBPF-based security observability and enforcement layer built for Kubernetes. Rather than relying on user-space agents, it deploys eBPF programs within the kernel to observe and enforce policy on process executions, syscalls, file access, and network activity in real time. Critically, Hypershield is Kubernetes-identity-aware: it understands namespaces, pods, workload identities, and labels natively, correlating threats with the exact workloads that spawned them.
Isovalent’s technical analysis demonstrates how Hypershield investigates and mitigates VoidLink’s behavior at each stage of the kill chain. Because it operates through eBPF hooks within the kernel, it observes VoidLink’s behavior regardless of how cleverly the malware evades user-space tools. VoidLink’s entire evasion model is designed to defeat agents operating above the kernel. Hypershield sidesteps it entirely.
This principle is the new standard for the modern threat landscape: attacks like ShadowRay 2.0 or NVIDIAScape succeed because traditional defenses can’t see what workloads are doing in real time. Runtime visibility and mitigation control at the kernel level closes that critical window between exploitation and detection that attackers rely on.
The blind spot most CISOs can’t afford
Attacks like VoidLink, ShadowRay, and NVIDIAScape make one truth unavoidable: most organizations are effectively blind to Kubernetes, where AI models run and critical workloads live.
Years of investment in endpoints, identity, and cloud monitoring have left Kubernetes largely invisible. Treating Kubernetes as a strategic asset, rather than “an infrastructure detail the platform team handles,” gives security teams the opportunity to safeguard the crown jewels.
Kubernetes is where AI lives: models are trained, inference is served, and agents must operate continuously, no longer tied to the lifecycle of laptops. The CISO’s role is also evolving, too, shifting from just securing the perimeter, but the connective tissue between high-velocity DevOps teams building the future and the stakeholders who need assurance that the future is protected.
Kernel-level runtime security provides the real-time “source of truth.” Malware can evade user-space tools, but it cannot hide from the system itself. Platforms like Hypershield give CISOs the same ground-truth visibility in the kernel they’ve had on endpoints for decades—so teams can see and respond in real time, with zero overhead.
The path forward
The path forward is not complicated, but it requires deliberate prioritization:
- Treat Kubernetes and AI workloads as first-class security assets.
- Deploy runtime security that provides kernel-level, real-time visibility.
- Integrate workload monitoring into SOC workflows to detect and respond confidently.
Cisco has led innovation in workload security, leveraging Hypershield together with Splunk for monitoring and runtime security for critical workloads.
The battlefield has shifted. Adversaries have invested in building cloud-native, container-aware, AI-accelerated offensive capabilities specifically engineered for the infrastructure that now runs the world’s most valuable workloads. The question for every organization is whether their defenses have kept pace.
The evidence from the past twelve months suggests most have not. The evidence from the next twelve will reflect the decisions made today.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media