{
	"id": "7d02b3fa-342e-4857-b094-85c65c96779c",
	"created_at": "2026-04-06T00:12:13.63717Z",
	"updated_at": "2026-04-10T03:26:57.822084Z",
	"deleted_at": null,
	"sha1_hash": "3aebf4ece846b658d5ed31341ba3d7645605ae5d",
	"title": "New threat actor, UAT-9921, leverages VoidLink framework in campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 114553,
	"plain_text": "New threat actor, UAT-9921, leverages VoidLink framework in\r\ncampaigns\r\nBy Nick Biasini\r\nPublished: 2026-02-11 · Archived: 2026-04-05 13:33:59 UTC\r\nTuesday, February 10, 2026 19:00\r\nCisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. Their\r\nactivities may go as far back as 2019, even without VoidLink.\r\nThe VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks,\r\nwhich can create tools on-demand for their operators.\r\nCisco Talos found clear indications that implants also exist for Windows, with the capability to load\r\nplugins.\r\nVoidLink is a near-production-ready proof of concept for an enterprise grade implant management\r\nframework, and features auditability and oversight for non-operators.\r\nVoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the\r\nlandscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating\r\ntoday. This framework is yet another implant management framework denoting a consistent and concerning\r\nevolution with shorter development cycles.\r\nCisco Talos is tracking the threat actor first seen to be using the VoidLink framework as UAT-9921. This threat\r\nactor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of\r\ntheir activity.  UAT-9921 uses compromised hosts to install VoidLink command and control (C2) which are then\r\nused to launch scanning activities both internal and external to the network.\r\nWho is UAT-9921?\r\nCisco Talos assesses that this threat actor has knowledge of Chinese language based on the language of the\r\nframework, code comments and code planning done using the AI enabled IDE. We also assess with medium\r\nconfidence that they have been active since at least 2019, not necessarily using VoidLink.\r\nVoidLink development appears to be a more recent addition with the aid of large language model (LLM) based \r\nintegrated development environment (IDE). However, in their compromise and post-compromise operations,\r\nUAT-9921 does not seem to be using AI-enabled tools. \r\nCisco Talos was able to determine that the operators deploying VoidLink have access to the source code of some\r\nmodules and some tools to interact with the implants without the C2. This indicates inner knowledge of the\r\ncommunication protocols of the implants.\r\nhttps://blog.talosintelligence.com/voidlink/\r\nPage 1 of 5\n\nWhile the development of VoidLink seems to be split into teams, it is unclear what level of compartmentalization\r\nexists between the development and the operation. We do know that UAT-9921 operators have access to VoidLink\r\nsource code of kernel modules, as well as tools that enable interaction with the implant without the C2.\r\nTalos assesses with high confidence that UAT-9921 compromises servers with the usage of pre-obtained\r\ncredentials or exploiting Java serialization vulnerabilities which allow remote code execution, namely Apache\r\nDubbo project. We also found indications of possible initial compromise via malicious documents, but no samples\r\nwere obtained.\r\nIn their post-compromise activities, UAT-9921 deploys the VoidLink implant. This allows the threat actor to hide\r\ntheir presence and the VoidLink C2, once deployed.\r\nTo find new targets and perform lateral movement, UAT-9921 deploys a SOCKS server on their compromised\r\nservers, which is used by FSCAN to perform internal reconnaissance.\r\nWith regard to victimology, UAT-9921 appears to focus on the technology sector, but we have also seen victims\r\nfrom financial services. However, the cloud-aware nature of VoidLink and scanning of entire Class C networks\r\nindicates that there is no specific targeting.\r\nGiven VoidLink’s auditability and oversight features, it is worth noting that even though UAT-9921 activity\r\ninvolves usage of exploits and pre-obtained credentials, Talos cannot discount the possibility that this activity is\r\npart of red team exercises.\r\nTimeline\r\nFigure 1. Timeline of activities involving UAT-9921 and VoidLink.\r\nhttps://blog.talosintelligence.com/voidlink/\r\nPage 2 of 5\n\nTalos is aware of multiple VoidLink-related victims dating back to September with the activity continuing through\r\nto January 2026. This finding does not necessarily contradict the Checkpoint Research mentions of late November\r\nsince the presented documents show development dates from version 2.0 and Cisco Talos assesses that this was\r\nstill version 1.0.\r\nThe future of attack frameworks\r\nTalos has been tracking fast deployment frameworks since 2022, with reports on Manjusaka and Alchimist/Insekt.\r\nThese two projects were tightly linked in their development philosophy, features, and architectural design. There\r\nwere obvious inspirations from CobaltStrike and Sliver; however, one fundamental difference was the single file\r\ninfrastructure and the lack of integrated initial infector vector.\r\nThe VoidLink framework represents a giant leap in this predictable evolution, while keeping the same, single file\r\ninfrastructure philosophy. This is a clear example of a “defense contractor grade” implant management\r\nframework, which represents one natural next step of other single file infrastructure frameworks like Manjusaka\r\nand Alchimist. \r\nThe development of VoidLink was fast, supported on AI-enabled integrated development environments. It uses\r\nthree different programing languages: ZigLang for the implant, C for the plugins and GoLang for the backend. It\r\nsupports compilation on demand for plugins, providing support for the different Linux distributions that might be\r\ntargeted. The reported development timeline of around two months would be hard to achieve by a small team of\r\ndevelopers without the help of an AI-enabled IDE.\r\nWhile Talos will discuss the framework in more detail below, it is important to reflect on what is to come in the\r\nframework landscape. With the current level of AI agents, it will not be surprising to find implants that ask their\r\nC2 for a “tool” that allows them to access certain resources.\r\nThe C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for\r\na known vulnerability, which just happens to be on an internal web server. The C2 doesn’t necessarily need to\r\nhave all these tools available — it may have an agent that will do its research and prepare the tool for the operator\r\nto use. With the current VoidLink compile-on-demand capability, integrating such feature should not be complex.\r\nKeep in mind that all of this will happen while the operator continues to explore the environment.\r\nOf course, this may just be an intermediate step, assuming that there is a human operator managing the\r\nenvironment exploration. However, it likely will not be long before we begin to uncover malicious agents doing\r\nthe initial stages of exploration and lateral movement before human intervention.\r\nThis has an impact of reducing compromise attack metrics — namely, the time to lateral movement and time to\r\nfocused data exfiltration. It also allows the generation of never-before-seen tools and the constant change in the\r\nattacker’s behavior, making detection more difficult.\r\nVoidLink Overview\r\nVoidLink contains features that make it “defense contractor grade,” such as the auditability of all actions and the\r\nexistence of a role-based access control (RBAC). The RBAC consists of three different levels of roles:\r\nhttps://blog.talosintelligence.com/voidlink/\r\nPage 3 of 5\n\n“SuperAdmin,” “Operator,” and “Viewer.” This feature is not often seen in other similar frameworks, but it is\r\ncrucial when operations need to have legal and corporate oversight.\r\nThe mesh peer-to-peer (P2P) and dead-letter queue routing capabilities allow some implants to communicate with\r\nothers, creating hidden networks with-in the same environment allowing the bypass of network access restrictions,\r\nas one implant may serve as external gateway for other implants.\r\nThe development timeline reported by Checkpoint Research indicates that this is a near-production-ready proof of\r\nconcept. Most frameworks support Windows and MacOS from their early stages of development; VoidLink only\r\nappears to have implants developed for Linux, although the implant code is written in such a way that can easily\r\nbe adapted to other languages. The main implant is written in ZigLang, a rather uncommon language; however the\r\nplugins are written in C. When needed these are loaded via an ELF linker and loader.\r\nTalos has found clear indications that the main implant has been compiled for Windows and that it can load\r\nplugins via dynamic-link library (DLL) sideloading. Unfortunately, we were unable to obtain a sample to confirm\r\nthese indications.\r\nThe Linux implants have advanced features, such as an eBPF or Loadable Kernel Module (LKM) based rootkit,\r\ncontainer privilege escalation, and sandbox escape. These are often related with the server side, but there are a\r\nmultitude of plugins in the implant targeting Linux as a desktop and not a server, something which is not often\r\nseen on malware since the Linux desktop base is not as prevalent as Windows or MacOS.\r\nMost of the modular frameworks Talos observes support a wide variety of platforms typically inclusive of Linux,\r\nWindows, and MacOS — but VoidLink is different. The VoidLink framework specifically targets Linux devices\r\nwithout any current support for Windows or MacOS. Linux is a particularly large landscape, with the Internet of\r\nThings (IoT) and critical infrastructure heavily relying on the Linux OS.\r\nAs with most frameworks, VoidLink can generate implants consisting of a variety of plugins. The plugins\r\nthemselves are standard, with the ability to interact and extract information from end systems, as well as\r\ncapabilities allowing for lateral movement and anti-forensics. VoidLink is also cloud-aware and can determine if it\r\nis running in a Kubernetes or Docker environment, then gather additional information to make use of the vendor’s\r\nrespective APIs. It has stealth mechanisms in place, including the ability to detect endpoint detection and response\r\n(EDR) solutions and create an evasion strategy based on the findings. There are also a variety of obfuscation and\r\nanti-analysis capabilities built into the framework designed to either obfuscate the data being exfiltrated or hinder\r\nthe analysis and removal of the malware itself.\r\nVoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility, as\r\ndemonstrated through this apparent proof of concept.\r\nCoverage\r\nThe following Snort Rules (SIDs) detect and block this threat:\r\nSnort2: 1:65915 - 1:65922, 1:65834-65842\r\nSnort3: 1:65915 - 1:65922, 1:65834-65838, 1:310388-1:310389\r\nhttps://blog.talosintelligence.com/voidlink/\r\nPage 4 of 5\n\nThe following ClamAV signature detects and blocks this threat:\r\nUnix.Trojan.VoidLink-10059283\r\nMore details on how Cisco detects threats like VoidLink is available here.\r\nSource: https://blog.talosintelligence.com/voidlink/\r\nhttps://blog.talosintelligence.com/voidlink/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/voidlink/"
	],
	"report_names": [
		"voidlink"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "434d8bf4-e8d6-4593-adfe-22ad8cdc363c",
			"created_at": "2026-02-14T02:00:03.851938Z",
			"updated_at": "2026-04-10T02:00:03.975774Z",
			"deleted_at": null,
			"main_name": "UAT-9921",
			"aliases": [
				"UAT-9921",
				"VoidLink Operator"
			],
			"source_name": "MISPGALAXY:UAT-9921",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434333,
	"ts_updated_at": 1775791617,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3aebf4ece846b658d5ed31341ba3d7645605ae5d.pdf",
		"text": "https://archive.orkl.eu/3aebf4ece846b658d5ed31341ba3d7645605ae5d.txt",
		"img": "https://archive.orkl.eu/3aebf4ece846b658d5ed31341ba3d7645605ae5d.jpg"
	}
}