| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).
There are currently no families associated with this actor.
| 2026-02-11
⋅
Isovalent
⋅
Deconstructing Voidlink: Why New AI and Cloud-Native Threats Require a New Class of Defense VoidLink UAT-9921 |
| 2026-02-10
⋅
Cisco Talos
⋅
New threat actor, UAT-9921, leverages VoidLink framework in campaigns VoidLink UAT-9921 |