Extremely extensible and customizable
VoidLink attracts inspiration from the beacon implant of Cobalt Strike, an adversary simulation framework that has been extensively adopted and misused by attackers over time. The malware makes use of an API to speak with further plug-ins that add a various set of capabilities.
By default, the platform comes with 37 plug-ins that may be chosen and delivered to the sufferer to allow further capabilities. Nevertheless, the operator also can ship customized plug-ins. That is managed by means of a professional-looking web-based command-and-control (C2) dashboard.
“This interface is localized for Chinese language-affiliated operators, however the navigation follows a well-recognized C2 format: a left sidebar teams pages into Dashboard, Attack, and Infrastructure,” the researchers stated. “The Dashboard part covers the core operator loop (agent supervisor, built-in terminal, and an implant builder). In distinction, the Attack part organizes post-exploitation exercise comparable to reconnaissance, credential entry, persistence, lateral motion, course of injection, stealth, and proof wiping.”
