News & Commentary

VoidLink shows how fast AI can crank out Linux malware 🤖

Check Point Research says a newly found Linux malware framework called VoidLink looks like it was built by a single dev using AI — and it now has around 88,000 lines of code. 🤯 Apparently, this is fast-moving malware: Its first working implant was developed in under a week, most likely thanks to the scalability that AI provides.

Written in Zig, VoidLink is aimed at persistent, stealthy access in Linux cloud environments: the exact place defenders don’t want a durable foothold living rent-free. The reporting hints at a Chinese-affiliated dev environment, though the end goal of VoidLink is yet to be seen as this one hasn’t been seen out in the wild just yet.

Additional analysis from Sysdig claims this malware toolkit likely has LLM fingerprints (scarily consistent debug logging, templatey JSON responses, super uniform versioning, placeholder content). The dev writes detailed plans and coding rules before using an agent to deploy and test. In short, AI is a tireless junior dev who’s working hard without complaint for a promotion. 😅

The bigger takeaway is kinda grim: AI doesn’t need to invent brand-new hacker magic to matter; it just has to make building complex malware faster, cheaper, and easier to tweak.

The part that makes me uneasy isn’t that “AI wrote malware” — that’s hardly new. It’s that the workflow is getting productized. Plan, task, generate, test, iterate… over and over. If one skilled person can spin up an 88k-line framework in weeks (or days), it makes it that much harder for defenders to keep up.

Also, even without confirmed infections, this is worth paying attention to because it’s aimed at Linux cloud environments, where a quiet implant can do a lot of damage while going unnoticed. The defensive lesson is still the same boring one: watch for weird persistence, unexpected binaries, strange network beacons — but now assume the attacker can iterate quicker than ever. The “time to polish” for malware is shrinking.

Hackers abuse signed RogueKiller driver to kill EDR, then mass-deploy ransomware 🛡️

There’s a pretty awful ransomware enabler making its rounds that involves the abuse of a normal, legitimate kernel driver.

Hackers are using the truesight.sys driver to quietly turn off EDR software — ironic because the kernel driver comes from Adlice Software’s RogueKiller antivirus. Then, attackers drop the payload, often ransomware or remote access malware. The twist here is these attackers are doing this with some 2,500+ validly signed variants, meaning the usual “huh, this file looks sketchy” checks don’t fire off for many unsuspecting victims.

The trick? Hackers are leaning on legacy driver signing rules to load older signed drivers on OSes as new as Windows 11. Once TrueSight loads, it’s running on the kernel, so it can stop EDR/AV processes from the same permission level the OS trusts, quieting any alarm bells. In other words, telemetry stops, alerts don’t fire, and the payload runs quietly until the damage is done.

And because this is spreading among various hacker groups, new variants are popping up, and now, around 200 security products can be disabled.

The infection chain is the part that’s depressingly normal: phishing, fake downloads, shady Telegram channels — before a downloader pulls more stages, sets up persistence, and runs an obfuscated “EDR killer” module to load the driver as a service and start knocking down defenses.

A reminder for those of us protecting endpoints: Treat vulnerable signed drivers like malware. Driver blocklists, Microsoft vulnerable driver protections, WDAC/code integrity controls, and monitoring for new kernel driver loads or weird service installs can be the difference between “we caught this early” and “why are all our files locked now?”

Fake interviews lead to real backdoors with PurpleBravo campaign 🚪

Recorded Future reports that a North Korea-linked cluster it tracks as PurpleBravo went after more than 3,000 IP addresses in one year using a tactic that’s embarrassingly simple: fake job interviews that ask candidates to run “coding assessments” that are actually malicious.

Nothing groundbreaking or game-changing here. Just preying on innocent job seekers. 🙃

The target IP addresses are linked to around 20 potential victim organizations across a bunch of different industries, from AI and crypto to IT services and marketing. They’re scattered about the globe, including in Europe, South Asia, the Middle East, and Central America.

Here’s the kicker: It’s suspected that these job candidates might have completed these bogus assessments on company-issued devices (reminder: don’t do that), which makes the reach of the campaign extend far beyond the candidate. And because the candidates were devs, it’s easy to see a supply-chain-attack angle. If you reach the vendors, you can reach their customers.

If you’re reading this thinking, “Psh, I’d never fall for that,” well, maybe…but these hopeful candidates probably thought that, too. These things usually don’t feel sketchy. It just feels like the usual hiring grind: Here’s a repo, do the task, hit the deadline. Maybe even the “recruiter” seems nice. The normalcy is exactly what makes it work.

The takeaway is honestly pretty boring, but it’s often the boring stuff that saves us from ourselves: keep it separated. If you’ve got to run interview “homework,” do it in a throwaway VM or container, not on your work laptop that’s logged into Slack, has GitHub tokens, cloud creds, and access to internal repos. And if you’re on the hiring side, you can help by encouraging these guidelines or even providing candidates with a safe sandbox to complete their assignments in.

Sponsor

Five shifts that will shape your security team in 2026

99% of SOCs are using AI. So why are security teams still drowning in manual work? What separates teams that actually benefit from AI from those just adding complexity?

On January 28th, join this Tines and Stratascale webinar to be among the first to get statistics and insights from a survey of over 1800+ security professionals and learn:

• Top AI use cases driving results

• The new skills that will define security roles in 2026

• How intelligent workflows turn automation into real impact

• What good AI governance looks like

• How to turn board-level attention into long-term strategic influence

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-020.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
January Announcements

Jan Course Launch: ConDef 2026

Catch a replay of my livestream with Anton Ovrutsky where we launched ConDef 2026, now with AI Teaching Assistant to complement its 100+ videos, step-by-step instructions, massive cyber range, and so much more. As I’ve been know to say, "Constructing Defense is a flagship way to start a cybersecurity career.”

20% Launch Discount = Only $400! Expires Midnight ET on Jan 31.

Psst! Catch all of my past and upcoming JHT livestreams on this new fancy page.

WMD – Temporary Price Reduction!

Add Windows Malware Development (WMD) to your ethical hacking arsenal! TL;DR:

• WMD 1 is now a NameYourPrice course with a minimum price of only $40!

• The 3-course WMD Intro Path Bundle is 46% Off!

• Limited time! Expires Midnight ET on Jan 31 before WMD 6 is released (ETA Feb 1).

Additional January Releases

• UC – Home Lab by Joram Stith

• UC – Nmap by G1zm0

• Blog - A Brief History of the Constructing Defense Ecosystem by Anton Ovrutsky

• Blog - ConDef MCP – Meet Your AI Teaching Assistant by Don Donzal

Save Big with Bundles!

• The “Mishaal” Bundle – Get EVERYTHING Mishaal Khan has on JHT for only $345 (25% Off)! At a fraction of what he charges for a single in-person course, you get 4 courses (3 OSINT, 1 OpSec) & 2 geoINT Hack-Alongs

• Mastering Active Directory Security (MADS) Volumes 1 – 3 (20% Off)

• WMD Intro Path includes courses 1 – 3 (46% Off)

• 7 CTF Bundle = 50% Off

• 7 Hack-Along Bundle = 75% Off

Discord | FB | IG | LinkedIn | RSS | Twitch | TikTok | X | YouTube

Forget the Noise. Get to Just Hacking!

It’s been a while since I’ve shared some of the h i l a r i t y that’s made its way into my inbox.

Each time someone subscribes to this newsletter, I ask them to reply and hit me with their best joke (both to appease the eMaIL oVeRlOrDs and because laughter is key to not losing your mind in this field 😅). Here are a few of the jokes me and the team have been laughing at. :)

Got a good one? Reply to this email and share it with me! It just might be featured in an upcoming newsletter. :)

It’s our 20th issue of Cybersecurity Shenanigans! 🎉 Are you loving this thing? Can it be improved? Either way, I want to know.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!