According to Cisco Talos findings, an unknown threat actor previously tracked as UAT-9921 was observed leveraging a new modular framework called VoidLink in campaigns targeting the technology and financial services sectors.
“This threat actor appears to have been active since 2019, but has not necessarily been using VoidLink during this period,” said researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura. “UAT-9921 is used to install VoidLink command and control (C2) using compromised hosts and initiate scanning activity both inside and outside the network.”
VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealth access to Linux-based cloud environments. This is credited to the work of a single developer who fleshed out the internals based on a paradigm called specification-driven development, with the help of large-scale language models (LLM).
In a separate analysis published earlier this week, Ontinue noted that the emergence of VoidLink presents new concerns that kernel-level rootkits and feature-packed LLM-generated implants targeting cloud environments could further lower the skill barrier required to generate hard-to-detect malware.
Considering the language of the framework, UAT-9921 is believed to have knowledge of Chinese, and the toolkit appears to be a recent addition, according to Talos. It is believed that development was carried out by multiple teams, but the scope of the boundary between development and actual operation remains unclear.
“Operators who have deployed VoidLink will have access to some source code. [kernel] “It contains a module and some tools to interact with the implant without C2,” the researchers said, “which indicates inside knowledge about the implant’s communication protocol.”
VoidLink was introduced as a post-compromise tool to help attackers evade detection. Threat actors have also been observed deploying SOCKS proxies on compromised servers to initiate internal reconnaissance and lateral movement scans using open source tools such as Fscan.
The cybersecurity firm said it is aware of multiple VoidLink-related victims dating back to September 2025, suggesting work on the malware may have begun much earlier than the November 2025 timeline compiled by Check Point.
VoidLink uses three different programming languages. ZigLang for the implant, C for the plugin, and GoLang for the backend. It supports on-demand compilation of plugins and supports a variety of potentially targeted Linux distributions. Plugins enable information collection, lateral movement, and forensics.
The framework is also equipped with a wide range of stealth mechanisms to thwart analysis and prevent removal from infected hosts, and even detect endpoint detection and response (EDR) solutions to devise evasion strategies on the fly.
“C2 provides a plug-in to the implant that allows operators to read exploits for known vulnerabilities in specific databases or that happen to reside on internal web servers,” Talos said.
“The C2 doesn’t necessarily need all of these tools available; there could be an agent that does the research and prepares the tools for the operator to use. With the current VoidLink compile-on-demand capabilities, integrating such functionality is not complicated. Keep in mind that all of this happens while the operator continues to explore the environment.”
Another feature of VoidLink is its auditability and the presence of a role-based access control (RBAC) mechanism that consists of three role levels: SuperAdmin, Operator, and Viewer. This suggests that the framework’s developers had monitoring in mind when designing it, raising the possibility that this activity was part of a red team exercise.
Additionally, there are indications that there is a main implant that is compiled for Windows and can load plugins via a technique called DLL sideloading.
“This is a proof of concept that is almost production-ready,” Talos said. “VoidLink is poised to become an even more powerful framework based on its functionality and flexibility.”
Source link
