CISCO Talos reports a previously unknown threat actor, UAT-9921, is using a new modular framework called VoidLink to target technology and financial services organisations. According to Cisco Talos, VoidLink is Linux-focused but implants exist for Windows, and the group can load plugins to extend capabilities, with the compile-on-demand feature enabling AI-enabled tool creation.
The actors are believed to have been active since at least 2019, with activity continuing into January 2026, and they gain access using stolen credentials or by exploiting Java serialization flaws such as Apache Dubbo. Victims include technology and financial firms, and the campaign features command-and-control implants that can scan networks internally and externally while attempting to evade detection.
The framework is described as defense-contractor–grade, built quickly with AI-enabled development tools, and capable of eBPF/LKM rootkits, container escape, privilege escalation, cloud awareness and EDR evasion, with potential Windows support not yet proven.