Highly extensible and customizable
VoidLink draws inspiration from the beacon implant of Cobalt Strike, an adversary simulation framework that has been widely adopted and misused by attackers over the years. The malware uses an API to communicate with additional plug-ins that add a diverse set of capabilities.
By default, the platform comes with 37 plug-ins that can be selected and delivered to the victim to enable additional capabilities. However, the operator can also deliver custom plug-ins. This is controlled through a professional-looking web-based command-and-control (C2) dashboard.
“This interface is localized for Chinese-affiliated operators, but the navigation follows a familiar C2 layout: a left sidebar groups pages into Dashboard, Attack, and Infrastructure,” the researchers said. “The Dashboard section covers the core operator loop (agent manager, built-in terminal, and an implant builder). In contrast, the Attack section organizes post-exploitation activity such as reconnaissance, credential access, persistence, lateral movement, process injection, stealth, and evidence wiping.”
