A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial organizations, Cisco Talos reports.
Cisco Talos spotted a previously unknown threat actor, tracked as UAT-9921, using a new modular attack framework called VoidLink. The group targets organizations in the technology and financial services sectors. The flexible design of VoidLink suggests the actor can adapt tools and techniques to different victims and campaign needs.
“Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink. The VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks, which can create tools on-demand for their operators.” reads the report published by Talos. “Cisco Talos found clear indications that implants also exist for Windows, with the capability to load plugins.”
VoidLink is a new modular Linux-focused attack framework first spotted by Check Point and used by threat actor UAT-9921, which has been active since at least 2019.
“Talos is aware of multiple VoidLink-related victims dating back to September with the activity continuing through to January 2026.” continues the report. “This finding does not necessarily contradict the Checkpoint Research mentions of late November since the presented documents show development dates from version 2.0 and Cisco Talos assesses that this was still version 1.0.”
The group installs VoidLink on compromised servers to establish command-and-control, hide activity, and scan networks internally and externally. Talos assesses that the actor likely has Chinese-language knowledge and that VoidLink development appears to be supported by AI-enabled coding tools, though operations do not rely on AI. UAT-9921 gains access using stolen credentials or by exploiting Java serialization flaws such as Apache Dubbo. Victims include technology and financial firms, but broad network scanning suggests opportunistic targeting.
Since 2022, Cisco Talos has tracked fast-evolving single-file attack frameworks like Manjusaka and Alchimist. VoidLink marks a major step forward, keeping the single-file model but delivering a more advanced, “defense-contractor grade” implant platform. Built quickly with AI-enabled development tools, it combines Zig for implants, C for plugins, and Go for the backend, and can compile plugins on demand for different Linux targets.
Talos warns this model could soon support AI-driven tool creation, where implants request custom exploits or modules from C2 servers in real time. This would speed lateral movement, enable unique attack tools, and make detection far harder.
“Of course, this may just be an intermediate step, assuming that there is a human operator managing the environment exploration. However, it likely will not be long before we begin to uncover malicious agents doing the initial stages of exploration and lateral movement before human intervention.” continues the report.
“This has an impact of reducing compromise attack metrics — namely, the time to lateral movement and time to focused data exfiltration. It also allows the generation of never-before-seen tools and the constant change in the attacker’s behavior, making detection more difficult.”
Talos researchers states that VoidLink stands out as a “defense contractor–grade” framework with built-in auditing and role-based access control (SuperAdmin, Operator, Viewer). Its mesh peer-to-peer design lets implants relay traffic for one another, bypassing network limits. The malware is focused on Linux, and implements advanced capabilities such as eBPF/LKM rootkits, container escape, privilege escalation, cloud awareness, and EDR evasion. Though mainly Linux-based, evidence suggests possible Windows support. With modular plugins, stealth, and anti-analysis features, VoidLink shows strong potential to evolve into a highly powerful attack platform.
“VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility, as demonstrated through this apparent proof of concept.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
