A previously unknown threat actor tracked as UAT-9921 has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos.
“This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity,” researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. “UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network.”
VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It’s assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm called spec-driven development.
In another analysis published earlier this week, Ontinue pointed out that the emergence of VoidLink presents a new concern where LLM-generated implants, packed with kernel-level rootkits and features to target cloud environments, can further lower the skill barrier required to produce hard-to-detect malware.
Per Talos, UAT-9921 is believed to possess knowledge of the Chinese language, given the language of the framework, and the toolkit appears to be a recent addition. It is also believed that the development was split across teams, although the extent of the demarcation between development and the actual operations remains unclear.
“The operators deploying VoidLink have access to the source code of some [kernel] modules and some tools to interact with the implants without the C2,” the researchers noted. “This indicates inner knowledge of the communication protocols of the implants.”
VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has also been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan.
The cybersecurity company said it’s aware of multiple VoidLink-related victims dating back to September 2025, indicating that work on the malware may have commenced much earlier than the November 2025 timeline pieced together by Check Point.
VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. It supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics.
The framework also comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly.
“The C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for a known vulnerability, which just happens to be on an internal web server,” Talos said.
“The C2 doesn’t necessarily need to have all these tools available — it may have an agent that will do its research and prepare the tool for the operator to use. With the current VoidLink compile-on-demand capability, integrating such a feature should not be complex. Keep in mind that all of this will happen while the operator continues to explore the environment.”
Another defining trait of VoidLink is its auditability and the existence of a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. This suggests that the developers of the framework kept oversight in mind when designing it, raising the possibility that the activity may be part of red team exercises.
What’s more, there are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.
“This is a near-production-ready proof of concept,” Talos said. “VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility.”
