• UAT-9921 Deploys VoidLink Malware to Target Technology and Financial Sectors A previously unknown threat actor tracked asUAT-9921has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos. • “This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity,” researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Venturasaid. • “UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network.” VoidLink wasfirst documentedby Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. • It’s assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm calledspec-driven development. • In another analysis published earlier this week, Ontinuepointed outthat the emergence of VoidLink presents a new concern where LLM-generated implants, packed with kernel-level rootkits and features to target cloud environments, can further lower the skill barrier required to produce hard-to-detect malware. • Per Talos, UAT-9921 is believed to possess knowledge of the Chinese language, given the language of the framework and code comments present in it.

Article Summaries:

  • A previously unknown threat actor tracked as UAT-9921 has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos. “This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity,” researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. “UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both intern

Sources: