CN

UAT-9921UAT-9921

Also known as: UAT-9921 · VoidLink Operator

Origin
CN
Known aliases
2

Profile

UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).

Aliases· 2

UAT-9921VoidLink Operator

References

  1. https://blog.talosintelligence.com/voidlink/
  2. https://isovalent.com/blog/post/voidlink-cloud-malware-detection/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
UAT-9686
Actor
UNC6691
Actor
UAT-9244
Actor
UAT-8616
Actor
UAC-0020
Actor
UAT-5918
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.