Check Point researchers uncovered an advanced malware they say was largely created by one individual using AI, an early example of how the rapidly evolving technology will change how cyber threats are created.

The malware, dubbed “VoidLink,” was detected at an early development point and never was used in active attacks, but was designed and being built at an unusually fast pace, was sophisticated and modular to allow for quick evolution, and initially appeared to be the work of a larger and well-funded team of bad actors.

However, the researchers wrote in a report this week, “the sprint timeline did not align with our observations. We had directly witnessed the malware’s capabilities expanding far faster than the documentation implied.”

A deeper dive into the malware detected artifacts that indicated that an AI model was used to create and orchestrate VoidLink’s development plan and that the model probably was used to build, run, and test the framework.

“Because AI-produced documentation is typically thorough, many of these artifacts were timestamped and unusually revealing,” they wrote. “They show how, in less than a week, a single individual likely drove VoidLink from concept to a working, evolving reality.”

A Warning of What’s to Come

In an accompanying blog post, the researchers wrote that VoidLink is a much bigger deal than simply detecting a new malware.

“It signals a broader shift in the threat landscape,” they wrote. “The era of AI-generated malware development is no longer speculative. It is here, and it is evolving fast.”

Threat groups for the past three-plus years have rapidly adopted and used generative AI – and now AI agents – in their attacks. They’ve used it much like enterprises have, to automate simple tasks or – in their case – modify existing malware. Until now, most AI-written malware has been low-quality, tied to lesser skilled bad actors, or closely resembling open source tools, the Check Point researchers wrote.

However, VoidLink represents a significant leap forward. The malware was built on a mature, high-functionality, and efficient architecture and a flexible and dynamic operating model. It also included technologies like eBPF and LKM rootkits and modules for cloud enumeration and post-exploitation in container environments.

A Maturing of AI’s Use for Malware

“Its level of sophistication shows that when AI is in the hands of capable developers, it can materially amplify both the speed and the scale at which serious offensive capability can be produced,” they wrote. “While not a fully AI-orchestrated attack, VoidLink demonstrates that the long-awaited era of sophisticated AI-generated malware has likely begun. In the hands of individual experienced threat actors or malware developers, AI can build sophisticated, stealthy, and stable malware frameworks that resemble those created by sophisticated and experienced threat groups.”

Researchers from AI company Anthropic in November 2025 reported a similar situation. They wrote about a Chinese nation-state actor using the vendor’s Claude Code agentic AI-powered developer tool to run an espionage campaign in which AI was used to automate 80% to 90% of the work, with human intervention needed in only a handful of decision points.

The Anthropic researchers also sounded a similar warning, writing that “the barriers to performing sophisticated cyberattacks have dropped substantially – and we predict that they’ll continue to do so.”

A Look at VoidLink

Check Point’s researchers wrote that development of VoidLink began in late November 2025 when the develop chose TRAE SOLO, an AI assistant in TRAE, an AI-based integrated development environment (IDE) that automatically producer helper files that seem to have been copied along with the source code to the bad actor’s server.

It appeared that the malware developer expected a 30-week engineering initiative to build VoidLink, but a test artifact was timestamped to December 4 – a week after the start of the project – and that by then the malware had grown to more than 88,000 lines of code. A compiled version was already submitted to VirusTotal, when Check Point researchers picked it up and began analyzing it.

The hacker adopted the spec drive development (SDD) approach to generated a structured and multi-team development plant, complete with sprint schedules, specs, deliverables, but then remade it into an execution blueprint the model probably followed to implement, iterate, and test the malware, they wrote.

Unusual Visibilitiy into Malware Development

The researchers added mistakes by the developer exposed development artifacts they used to determine that VoidLink was produced mostly via AI.

“Our investigation into VoidLink leaves many open questions, one of them deeply unsettling,” they wrote. “We only uncovered its true development story because we had a rare glimpse into the developer’s environment, a visibility we almost never get. Which begs the question: how many other sophisticated malware frameworks out there were built using AI, but left no artifacts to tell?”