Key Findings

• Cisco Talos has discovered a new threat actor, UAT-9921, using a modular attack framework called VoidLink to target organizations in the technology and financial services sectors.

• VoidLink is a Linux-focused, highly capable attack framework that can compile and deploy plugins on-demand, potentially enabling AI-driven tool creation in the future.

• UAT-9921 is believed to have been active since at least 2019, even before the use of VoidLink, and has been observed installing the framework on compromised servers to establish command-and-control, hide activity, and scan networks.

• The group likely has Chinese-language knowledge, and VoidLink's development appears to be supported by AI-enabled coding tools, though the operations do not rely on AI.

• VoidLink stands out as a "defense contractor-grade" framework with features like built-in auditing, role-based access control, and a mesh peer-to-peer design to bypass network limits.

• The malware is focused on Linux but may also have Windows support, and it implements advanced capabilities such as eBPF/LKM rootkits, container escape, privilege escalation, cloud awareness, and EDR evasion.

Background

Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging a new modular attack framework called VoidLink in its campaigns. The group targets organizations in the technology and financial services sectors, and Talos assesses that their activities may go as far back as 2019, even before the use of VoidLink.

VoidLink: A Modular and Powerful Attack Framework

VoidLink is a new Linux-focused attack framework first spotted by Check Point and used by UAT-9921. The framework is designed to be modular, with a compile-on-demand feature that allows the actor to create and deploy plugins on-demand for different Linux targets.

Talos researchers believe that the development of VoidLink is supported by AI-enabled coding tools, although the actual operations do not rely on AI. The framework combines Zig for implants, C for plugins, and Go for the backend, and its flexible design suggests that the actor can adapt its tools and techniques to different victims and campaign needs.

Threat Actor Tactics and Capabilities

UAT-9921 gains access to target networks using stolen credentials or by exploiting Java serialization flaws, such as those found in Apache Dubbo. Once they have a foothold, the group installs VoidLink on compromised servers to establish command-and-control, hide their activity, and conduct internal and external network scanning.

Talos assesses that the threat actor likely has Chinese-language knowledge, and the VoidLink framework is a recent addition to their toolset. The group has been observed deploying a SOCKS proxy on compromised servers to launch scans and facilitate lateral movement.

Potential Evolution and Implications

VoidLink stands out as a "defense contractor-grade" framework, with features like built-in auditing, role-based access control, and a mesh peer-to-peer design that allows implants to relay traffic for one another, bypassing network limits.

Talos researchers warn that the framework's compile-on-demand capability and the potential for AI-driven tool creation could enable the actor to speed up lateral movement, generate unique attack tools, and make detection significantly more difficult. They also note that the existence of a possible Windows-based implant suggests that the framework may have broader cross-platform capabilities.

Overall, VoidLink marks a significant step forward in the evolution of single-file attack frameworks, and Talos believes that it has the potential to become an even more powerful and flexible platform as it continues to develop.

Sources

• https://securityaffairs.com/187969/ai/new-threat-actor-uat-9921-deploys-voidlink-against-enterprise-sectors.html

• https://thehackernews.com/2026/02/uat-9921-deploys-voidlink-malware-to.html

• https://blog.talosintelligence.com/voidlink/