Cisco Talos reports that the threat actor UAT-9921 is using a new modular framework called VoidLink to conduct post-compromise C2 operations, internal and external scanning, and lateral movement against technology and financial services. VoidLink—written in Zig with C plugins and a Go backend, and possibly developed with LLM assistance—includes kernel-level rootkits, stealth and anti-forensics features, RBAC controls, and Windows DLL sideloading capabilities. #VoidLink #UAT-9921
Keypoints
- UAT-9921 has deployed VoidLink as a post-compromise C2 to target technology and financial services.
- VoidLink is modular and uses Zig for the implant, C for plugins, and Go for the backend with compile-on-demand support.
- The framework includes kernel-level rootkits, stealth and anti-forensics measures, EDR detection and evasion, and SOCKS proxies for reconnaissance.
- Evidence suggests LLM-assisted development, role-based access control (SuperAdmin/Operator/Viewer), and possible multi-team development with Windows DLL sideloading support.
- Cisco Talos links multiple victims to VoidLink and warns the framework is near-production-ready, potentially lowering the skill barrier for cloud-focused implants.
Read More: https://thehackernews.com/2026/02/uat-9921-deploys-voidlink-malware-to.html