UAT-9921

Also known as: UAT-9921, VoidLink Operator

UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying β€˜VoidLink’, a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).

🌍 Country China

Introduction

UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying β€˜VoidLink’, a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).

Activities and Tactics

Country of Origin: πŸ‡¨πŸ‡³ China

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • China Chopper
  • Xploit

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

References pending cataloguing.