UAT-9921
UAT-9921 is a previously unknown threat actor tracked by Cisco Talos (and associated with reporting by Check Point and Ontinue) observed leveraging a modular intrusion framework called VoidLink, primarily targeting organizations in the technology and financial services sectors. Talos assesses the actor’s activity may date back to at least 2019, though VoidLink appears to be a more recent addition; Talos observed multiple VoidLink-related victims from September 2025 through January 2026. Operations described by Talos include compromising servers and installing VoidLink to establish command-and-control (C2), then using the compromised infrastructure to conduct internal and external network scanning. Initial access has been attributed with high confidence to the use of pre-obtained (stolen) credentials and exploitation of Java serialization vulnerabilities for remote code execution, including issues associated with Apache Dubbo. Post-compromise activity noted includes deployment of a SOCKS proxy and use of open-source tooling such as Fscan for internal reconnaissance and lateral movement; Talos also noted broad scanning (including full Class C ranges) suggesting opportunistic behavior beyond the primary targeted sectors. VoidLink is characterized as a Linux-focused, near-production-ready, “enterprise-grade” implant management framework: a Zig-based single-file implant with C plugins and a Go backend, supporting compile-on-demand plugin generation for different Linux targets. Reported capabilities include stealth/anti-analysis and EDR detection/evasion, obfuscation, anti-forensics, mesh peer-to-peer relaying between implants, and cloud/container awareness (e.g., Kubernetes and Docker checks) with potential container privilege escalation and sandbox escape; Talos also referenced advanced Linux options such as eBPF/loadable-kernel-module rootkit-like functionality. The framework includes built-in auditing and role-based access control (e.g., SuperAdmin/Operator/Viewer). Talos assessed UAT-9921 likely has Chinese-language knowledge based on language indicators in the framework. Talos also reported indications (unconfirmed by recovered samples) that a Windows implant/equivalent may exist or be in development, potentially with plugin loading (including via DLL sideloading).
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Runs campaigns leveraging the VoidLink framework (details not provided in the newsletter snippet).
Newly identified activity cluster reported deploying the VoidLink framework in campaigns targeting enterprise sectors.
Cluster leveraging the VoidLink framework for server compromise, assessed to have Chinese-language knowledge; uses stolen credentials and Java deserialization RCE (notably Apache Dubbo) and possibly malicious documents for initial access.
Uses the modular VoidLink framework (primarily Linux-focused, with possible Windows implants) to compromise enterprise servers, establish C2, hide activity, and perform internal/external network scanning; initial access via stolen credentials and exploitation of Java serialization flaws (e.g., Apache Dubbo).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.