VoidLink Rootkit Framework Combines LKM and eBPF for Linux Persistence

Executive Summary

Elastic Security Labs published a technical analysis of VoidLink, a sophisticated Linux rootkit framework that combines traditional Loadable Kernel Modules (LKMs) with eBPF (extended Berkeley Packet Filter) to achieve stealthy persistence and evade detection. The framework represents an evolution in Linux kernel-level malware, leveraging both established and emerging kernel instrumentation techniques to maintain access on compromised systems. According to Elastic's analysis, VoidLink's dual-pronged approach makes it particularly challenging for defenders relying solely on standard kernel integrity checks or eBPF monitoring alone.

Technical Analysis

VoidLink employs a modular architecture that separates its LKM and eBPF components, each serving distinct roles in the infection lifecycle. The LKM component handles core persistence mechanisms, including hooking system calls and manipulating kernel data structures to hide files, processes, and network connections. Elastic researchers identified that the LKM uses technique T1547.001 (Boot or Logon Autostart Execution: Kernel Modules and Extensions) to load automatically at boot time via /etc/modules or modprobe configuration.

The eBPF component, by contrast, focuses on runtime evasion. VoidLink loads eBPF programs that intercept syscall traces and filter out indicators of compromise from user-space monitoring tools. This approach exploits the fact that many security agents do not inspect eBPF program state, allowing the rootkit to selectively hide its activity from tools like bpftrace or perf. Elastic noted that VoidLink's eBPF hooks target kprobes and tracepoints associated with process creation and file I/O, effectively creating a blind spot for defenders who monitor those events via eBPF themselves.

The framework also includes anti-analysis features. Elastic observed that VoidLink checks for debugger presence (T1622) and attempts to disable or modify security tools (T1562.001) by hooking kill() and ptrace() syscalls. The malware is delivered as a malicious file (T1204.002), likely through initial access vectors such as phishing or exploitation of internet-facing services.

Elastic did not attribute VoidLink to a specific threat actor or provide campaign-level indicators such as IP addresses or file hashes. The analysis focused on the framework's architectural design rather than operational deployment. The absence of IOCs suggests the framework may be in active development or testing, or that Elastic has not yet observed widespread deployment.

Mitigations & Recommendations

Defenders should monitor for unexpected kernel module loading events, particularly from untrusted sources, using tools like lsmod and kernel audit subsystems (auditd). Because VoidLink's eBPF component can hide from standard monitoring, organizations should deploy eBPF-aware detection tools that verify the integrity of loaded eBPF programs and compare them against known-good baselines. Elastic recommends implementing runtime kernel integrity monitoring that checks both LKM signatures and eBPF program hashes. Additionally, restricting CAP_BPF and CAP_SYS_ADMIN capabilities to only trusted processes reduces the attack surface for eBPF-based rootkits.