VoidLink is a Linux command and control (C2) framework that generates implant binaries designed for deployment in cloud and enterprise environments. The implant, referred to as "the agent component," focuses on long-term access, credential theft, and data exfiltration. Indicators suggest it was created using a large language model (LLM), evident in its structured phase labels and verbose debug logging. Despite its origins, VoidLink operates effectively, targeting multiple cloud providers, including AWS, GCP, Azure, Alibaba, and Tencent. It retrieves credentials from environment variables, configuration directories, and instance metadata APIs, and it can even escape container environments and escalate privileges within Kubernetes clusters. The implant's architecture is modular, allowing each component to function as an independent plugin. This design enables VoidLink to adapt its capabilities based on the target environment. During its operations, the malware gathers extensive information about the host system, including cloud metadata and security postures, which informs its evasion strategies. It employs a kernel-level rootkit that adjusts its stealth techniques depending on the detected kernel version, using methods like eBPF for modern kernels and loadable kernel modules for older versions. VoidLink disguises its command and control communications using AES-256-GCM encryption over HTTPS, making the traffic appear legitimate. The analysis revealed a hard-coded C2 IP address and a command interface allowing operators to selectively conceal processes and ports from forensic tools. Furthermore, the presence of structured documentation and excessive logging in the binary suggests a lack of oversight typical of professional malware development, raising concerns about the accessibility of sophisticated malware creation through AI-generated code. This trend indicates a shift in the malware development landscape, where even those with minimal technical skills can deploy functional and stealthy implants.