嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述即可。 首先,我需要仔细阅读文章内容。文章主要讲的是一个新的威胁行为者UAT-9921使用VoidLink框架攻击企业和金融部门。Cisco Talos报告了这个情况,提到VoidLink是一个模块化的攻击框架,专注于Linux系统,具备很强的能力,比如eBPF/LKM rootkits、容器逃逸等。此外,VoidLink还可能支持Windows,并且有AI辅助开发工具。 接下来,我要提取关键信息:新威胁者UAT-9921、VoidLink框架、目标行业(科技和金融)、模块化设计、Linux为主、可能支持Windows、AI辅助开发工具。 然后,我需要把这些信息浓缩到100字以内。确保涵盖主要点:谁(UAT-9921)、做什么(使用VoidLink)、目标(企业、金融)、框架特点(模块化、Linux)、可能扩展到Windows、AI工具支持。 最后,组织语言,确保简洁明了。例如:“新威胁行为者UAT-9921利用模块化攻击框架VoidLink针对科技和金融企业发起攻击。该框架专注于Linux系统,具备高度灵活性和先进功能,并可能支持Windows环境。其开发得到AI工具辅助。” 这样既涵盖了关键点,又符合字数限制。 </think> 新威胁行为者UAT-9921利用模块化攻击框架VoidLink针对科技和金融企业发起攻击。该框架专注于Linux系统,具备高度灵活性和先进功能,并可能支持Windows环境。其开发得到AI工具辅助。 2026-2-13 22:18:18 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
New threat actor UAT-9921 deploys VoidLink against enterprise sectors
Pierluigi Paganini
February 13, 2026
A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial organizations, Cisco Talos reports.
Cisco Talos spotted a previously unknown threat actor, tracked as UAT-9921, using a new modular attack framework called VoidLink. The group targets organizations in the technology and financial services sectors. The flexible design of VoidLink suggests the actor can adapt tools and techniques to different victims and campaign needs.
“Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink. The VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks, which can create tools on-demand for their operators.” reads the report published by Talos. “Cisco Talos found clear indications that implants also exist for Windows, with the capability to load plugins.”
VoidLink is a new modular Linux-focused attack framework first spotted by Check Point and used by threat actor UAT-9921, which has been active since at least 2019.
“Talos is aware of multiple VoidLink-related victims dating back to September with the activity continuing through to January 2026.” continues the report. “This finding does not necessarily contradict the Checkpoint Research mentions of late November since the presented documents show development dates from version 2.0 and Cisco Talos assesses that this was still version 1.0.”
The group installs VoidLink on compromised servers to establish command-and-control, hide activity, and scan networks internally and externally. Talos assesses that the actor likely has Chinese-language knowledge and that VoidLink development appears to be supported by AI-enabled coding tools, though operations do not rely on AI. UAT-9921 gains access using stolen credentials or by exploiting Java serialization flaws such as Apache Dubbo. Victims include technology and financial firms, but broad network scanning suggests opportunistic targeting.
Since 2022, Cisco Talos has tracked fast-evolving single-file attack frameworks like Manjusaka and Alchimist. VoidLink marks a major step forward, keeping the single-file model but delivering a more advanced, “defense-contractor grade” implant platform. Built quickly with AI-enabled development tools, it combines Zig for implants, C for plugins, and Go for the backend, and can compile plugins on demand for different Linux targets.
Talos warns this model could soon support AI-driven tool creation, where implants request custom exploits or modules from C2 servers in real time. This would speed lateral movement, enable unique attack tools, and make detection far harder.
“Of course, this may just be an intermediate step, assuming that there is a human operator managing the environment exploration. However, it likely will not be long before we begin to uncover malicious agents doing the initial stages of exploration and lateral movement before human intervention.” continues the report.
“This has an impact of reducing compromise attack metrics — namely, the time to lateral movement and time to focused data exfiltration. It also allows the generation of never-before-seen tools and the constant change in the attacker’s behavior, making detection more difficult.”
Talos researchers states that VoidLink stands out as a “defense contractor–grade” framework with built-in auditing and role-based access control (SuperAdmin, Operator, Viewer). Its mesh peer-to-peer design lets implants relay traffic for one another, bypassing network limits. The malware is focused on Linux, and implements advanced capabilities such as eBPF/LKM rootkits, container escape, privilege escalation, cloud awareness, and EDR evasion. Though mainly Linux-based, evidence suggests possible Windows support. With modular plugins, stealth, and anti-analysis features, VoidLink shows strong potential to evolve into a highly powerful attack platform.
“VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility, as demonstrated through this apparent proof of concept.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
如有侵权请联系:admin#unsafe.sh