DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

VoidLink: The Malware That Knows You're Running Kubernetes

Patrick Duggan
Jan 13
3 min read

Tuesday Morning, Fresh Malware

Check Point dropped research this morning on VoidLink, a previously undocumented Linux malware framework built specifically for cloud and container environments.

This isn't your grandfather's rootkit. VoidLink knows whether you're running Docker or Kubernetes. It detects AWS, GCP, Azure, Alibaba, and Tencent. It profiles your EDR and adjusts its behavior accordingly.

It's cloud-native malware for a cloud-native world.

What Makes VoidLink Different

Most Linux malware is ported from somewhere else - Windows techniques adapted for *nix, or old-school rootkits updated for modern kernels. VoidLink was built from scratch for the cloud.

Language: Zig (not Go, not Rust - Zig)

Architecture: Two-stage loader with modular plugin system

Plugins available: 37 (and growing)

Reconnaissance
Cloud
Credentials
Persistence
Anti-forensics
Container escape
Privilege escalation

When VoidLink lands on a box, it immediately surveys the environment:

What cloud provider am I running on?
Am I in a container? Docker or Kubernetes?
What hypervisor?
What security products are present?
What's my risk score for various actions?

Then it adapts.

The Rootkit Menu

VoidLink doesn't ship with one rootkit - it ships with a decision tree:

Kernel Version	Rootkit Type
< 4.0	LD_PRELOAD hooking
4.0 - 5.5	LKM (loadable kernel module)
5.5+	eBPF-based rootkit

eBPF rootkits are the new hotness. They hook into the kernel's extended Berkeley Packet Filter subsystem - originally designed for network monitoring - to intercept syscalls, hide processes, and evade detection. Modern, stealthy, hard to spot.

Cloud Provider Detection

VoidLink enumerates the metadata services for each major cloud provider:

AWS:       169.254.169.254/latest/meta-data/
GCP:       metadata.google.internal/computeMetadata/v1/
Azure:     169.254.169.254/metadata/instance
Alibaba:   100.100.100.200/latest/meta-data/
Tencent:   metadata.tencentyun.com/latest/meta-data/

Once it knows where it is, it can pull instance credentials, enumerate IAM roles, and pivot through the cloud environment.

Container Awareness

The plugin list tells the story:

docker_escape_v3.o - Container breakout techniques
k8s_privesc_v3.o.b - Kubernetes privilege escalation
ssh_harvester_stealth_v3.o - SSH key collection

VoidLink knows the difference between a standalone Docker container and a Kubernetes pod. It adjusts its persistence mechanisms accordingly. In K8s environments, it can attempt to access the API server, enumerate secrets, and move laterally through the cluster.

The Receipts

Stage 0 Loader: `` 70aa5b3516d331e9d1876f3b8994fc8c18e2b1b9f15096e6c790de8cdadb3fc9 ``

Stage 1 Loader: `` 13025f83ee515b299632d267f94b37c71115b22447a0425ac7baed4bf60b95cd ``

VoidLink Implants: `` 05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69 15cb93d38b0a4bd931434a501d8308739326ce482da5158eb657b0af0fa7ba49 6850788b9c76042e0e29a318f65fceb574083ed3ec39a34bc64a1292f4586b41 6dcfe9f66d3aef1efd7007c588a59f69e5cd61b7a8eca1fb89a84b8ccef13a2b 28c4a4df27f7ce8ced69476cc7923cf56625928a7b4530bc7b484eec67fe3943 e990a39e479e0750d2320735444b6c86cc26822d86a40d37d6e163d0fe058896 4c4201cc1278da615bacf48deef461bf26c343f8cbb2d8596788b41829a39f3f ``

All of these are now in our threat intelligence index.

C2 Protocols

VoidLink's "VoidStream" protocol supports multiple transport options:

HTTP/1.1
HTTP/2
WebSocket
DNS tunneling
ICMP

It can switch protocols based on what's allowed through the network. Blocked HTTP? Switch to DNS. DNS filtered? Try ICMP. The framework is designed for environments where egress is restricted.

Attribution

Check Point assesses VoidLink as China-affiliated, though exact attribution remains unclear.

The tooling quality, cloud-first design, and target profile (cloud infrastructure) align with known Chinese APT interests. But it could also be a commercial tool - a pentest framework that "fell off a truck."

No real-world infections have been confirmed yet. This may be pre-deployment reconnaissance by Check Point, catching the framework before widespread use.

Detection

Hunt for:

Metadata service enumeration - Unusual queries to 169.254.169.254 or cloud metadata endpoints
eBPF program loading - Monitor bpf() syscalls, especially from non-standard processes
Plugin downloads - Watch for .o file downloads (compiled object files)
Container escape indicators - Sensitive mount access, privilege escalation attempts
Log wiping - log_wiper_v3.o targets standard Linux logs

YARA rules: Check Point's report includes detection signatures.

What This Means

The cloud security industry has been warning about cloud-native threats for years. VoidLink is what that threat looks like in practice:

Built for containers and orchestrators
Cloud provider-aware
EDR-evasive by design
Modular and extensible

If your threat model still assumes attackers will land on a VM and try to run mimikatz, you're fighting the last war.

VoidLink is malware that speaks cloud.

The author runs DugganUSA's threat intelligence platform, which tracks 346 known adversary groups and has reported 102,171 malicious IPs to AbuseIPDB. He prefers his containers without rootkits.

Her name is Renee Nicole Good.