Cyber: Uat-9921 Deploys Voidlink Malware To Target Technology And...
A previously unknown threat actor tracked as UAT-9921 has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos.
"This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity," researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. "UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network."
VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It's assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm called spec-driven development.
In another analysis published earlier this week, Ontinue pointed out that the emergence of VoidLink presents a new concern where LLM-generated implants, packed with kernel-level rootkits and features to target cloud environments, can further lower the skill barrier required to produce hard-to-detect malware.
Per Talos, UAT-9921 is believed to possess knowledge of the Chinese language, given the language of the framework, and the toolkit appears to be a recent addition. It is also believed that the development was split across teams, although the extent of the demarcation between development and the actual operations remains unclear.
"The operators deploying VoidLink have access to the source code of some [kernel] modules and some tools to interact with the implants without the C2," the researchers noted. "This indicates inner knowledge of the communication protocols of the implants."
VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has also been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan.
The cybersecurity company said it's aware of multiple VoidLink-related victims dating back to September 2025, indicating that work on the malware may have commenced much earlier than the November 2025 timeline pieced together by Check Point.
VoidLink uses three different programming languages: ZigLang
Source: The Hacker News
