• - Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. • Their activities may go as far back as 2019, even without VoidLink. • - The VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks, which can create tools on-demand for their operators. • - Cisco Talos found clear indications that implants also exist for Windows, with the capability to load plugins. • - VoidLink is a near-production-ready proof of concept for an enterprise grade implant management framework, and features auditability and oversight for non-operators. • VoidLink is a new modular framework that targets Linux based systems.
Article Summaries:
- Cisco Talos has identified a new threat actor, UAT‑9921, that has been active since at least 2019 and is now leveraging the VoidLink implant‑management framework. VoidLink, a near‑production‑ready modular system for Linux, offers compile‑on‑demand AI‑enabled tool creation and auditability features. UAT‑9921 installs VoidLink command‑and‑control implants on compromised hosts, enabling internal and external scanning, lateral movement via SOCKS servers, and covert persistence. The actor typically gains initial access through stolen credentials or Java serialization exploits (e.g., Apache Dubbo) and targets the technology sector, with occasional financial services victims. The group’s use of Chinese‑language code and LLM‑based IDEs suggests advanced development capabilities.
Sources: