A previously unknown threat actor tracked as UAT-9921 has been observed using a new modular framework called VoidLink in campaigns that target the technology and financial services sectors, according to Cisco Talos. The researchers say UAT-9921 uses compromised hosts to install VoidLink C2, which is then used to conduct internal and external network scanning, with activity dating back to at least 2019 though VoidLink may be a more recent addition.
VoidLink was first documented by Check Point last month and is described as a feature-rich framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. According to Talos, VoidLink is deployed as a post-compromise tool and includes a SOCKS proxy on compromised servers to aid internal reconnaissance and lateral movement using tools such as Fscan, with three languages underpinning the project: ZigLang for the implant, C for the plugins, and GoLang for the backend.
The framework also features an auditability aspect with a three-level RBAC system (SuperAdmin, Operator, and Viewer) and has been noted to include a Windows main implant capable of loading plugins via DLL side-loading.