UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).
Also known as
UAT-9921, VoidLink Operator.
References
Actor metadata imported from Malpedia (Fraunhofer FKIE).