VoidLink, a recently discovered Linux malware that targets Linux-based cloud servers, was likely generated almost entirely by AI, researchers say.
First detailed last week by Check Point cybersecurity analysts, the new malware consists of more than 30 modular plugins designed to maintain long-term access to Linux systems.
Initially, VoidLink’s sophistication, modularity, and rapid development method led to the malware being believed to be the work of a well-resourced and experienced cybercrime operation.
However, upon further analysis, Check Point Research concluded that VoidLink was primarily constructed by AI, and likely under the direction of a single individual. AI and AI agents were used not only to write the code, but also to plan, structure, and execute the entire project.
“VoidLink signals that the long-awaited era of advanced AI-generated malware may have begun,” Check Point said in a blog post.
“In the hands of experienced individual threat actors and malware developers, AI can build sophisticated, stealthy, and stable malware frameworks similar to those created by sophisticated, experienced threat groups.”
Critical to alerting researchers to the involvement of AI in building VoidLink was a development plan that accompanied the project and was accidentally left public by the developer.
This included planning documents for sprints, design ideas, and timelines representing 30 weeks of development.
However, the researchers note that when observing VoidLink’s evolution, there are clear signs that the development plan was generated and coordinated by an AI model, suggesting it was driven in a much shorter period of time, just four weeks.
“Many of these artifacts are time-stamped and unusually revealing, as documentation produced by AI is typically thorough. They demonstrate how perhaps a single individual propelled VoidLink from concept to practical evolving reality in less than a week,” Check Point said.
We also observed that the developer’s initial prompts for the AI agent were not based on building VoidLink directly, but rather on generating what would become malware based on an initial skeletal design. Researchers suggest this may have been because the developers were testing the guardrails of the AI tool.
Developers also used regular checkpoints to check in the AI-generated code to ensure that the model was developing as instructed and that the code was working.
The result is malware that the researchers who first detailed VoidLink described as “sophisticated, modern, and feature-rich.”
The malware was found to be created with significant AI involvement, leading researchers to suggest that this marks a turning point in malware development and defense against cyber threats.
“The security community has long predicted that AI will become a force multiplier for malicious attackers. However, to date, the clearest evidence of AI activity has primarily surfaced in less sophisticated operations associated with inexperienced attackers, without significantly increasing risk beyond routine attacks,” Check Point said.
“VoidLink changes that baseline. Its level of sophistication shows that in the hands of capable developers, AI can substantially amplify both the speed and scale at which serious attack capabilities can be produced,” the blog post concludes.
