UAT-9921 Feeds VoidLink Malware to Target Technology and Financial Sectors
An unknown threat actor was tracked as UAT-9921 has been seen using a new modular framework called VoidLink in its campaigns targeting the technology and financial services sector, according to Cisco Talos findings.
“This threat actor appears to have been active since 2019, although they did not use VoidLink during their game,” said researchers Nick Biasini, Aaron Boyd, Asheer Malhotra and Vitor Ventura. “The UAT-9921 uses vulnerable hosts to install VoidLink command-and-control (C2), and is then used to initiate scanning operations both inside and outside the network.”
VoidLink was first documented by Check Point last month, describing it as a rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It is tested as a single developer’s work with help from a large language model (LLM) to complement its internals based on a concept called spec-driven development.
In another analysis published earlier this week, Ontinue pointed out that the emergence of VoidLink raises new concerns that LLM-produced implants, packed with kernel-level rootkits and cloud-targeting features, may lower the skill barrier needed to produce hard-to-detect malware.
Per Talos, the UAT-9921 is believed to have Chinese language capabilities, given the frame language, and the toolkit appears to be a recent addition. It is also believed that development was divided into groups, although the degree of separation between development and actual activities remains unclear.
“Workers using VoidLink have access to the source code of others [kernel] modules and other tumor communication tools other than C2,” the researchers noted. “This indicates internal knowledge of tumor communication processes.”
VoidLink was used as a post-compromise tool, allowing an adversary to bypass detection. The threat actor has also been observed sending a SOCKS proxy to vulnerable servers to launch internal intelligence and lateral movement scans using open source tools such as Fscan.
The cybersecurity firm said it is aware of several VoidLink-related victims since September 2025, indicating that the malware’s activity may have started much earlier than the November 2025 timeline compiled by Check Point.
VoidLink uses three different programming languages: ZigLang for integration, C for plugins, and GoLang for the backend. It supports on-demand integration of plugins, providing support for different Linux distributions that can be targeted. Plugins allow data gathering, lateral movement, and anti-forensics.
This framework is also integrated with a variety of covert methods to prevent analysis, to prevent its removal from infected hosts, and to find detection and response (EDR) solutions and to design a fly escape strategy.
“C2 will provide that installation with a plugin to read a specific database that an employee has found or exploits a known vulnerability, which happens to be on an internal web server,” Talos said.
“C2 doesn’t really need to have all of these tools available – it could have an agent do their research and prepare a tool for the operator to use. With the current integration capabilities of VoidLink-on-demand, integrating such a feature shouldn’t be complicated. Remember that all of this will happen while the operator continues to explore the environment.”
Another defining feature of VoidLink is its readability and the presence of a role-based access control (RBAC), which consists of three role levels: SuperAdmin, Operator, and Viewer. This suggests that the framework’s developers kept caution in mind when designing it, suggesting that the work may be part of a red team exercise.
In addition, there are indications that there is a core plugin that is compiled for Windows and can load plugins in a way called DLL side-loading.
“This is a proof of concept that is close to production,” Talos said. “VoidLink is set to be an even stronger framework based on its power and flexibility.”
