A New Cyber Threat: UAT-9921 and VoidLink Malware

A group known as UAT-9921 has been using a new malware called VoidLink. This malware targets tech and finance companies. It has been active since 2019 but only recently started using VoidLink. VoidLink is a sophisticated tool. It is designed to stay hidden in Linux-based cloud systems. It was likely created by one person with help from AI. This makes it easier for less skilled hackers to create dangerous malware. UAT-9921 uses compromised computers to install VoidLink. This allows them to scan networks both inside and outside the targeted organization. VoidLink can also deploy a SOCKS proxy to launch internal scans and move laterally using tools like Fscan.The malware uses three programming languages: Zig for the main implant, C for plugins, and Go for the backend. It can compile plugins on demand. This supports different Linux distributions and provides features for information gathering, lateral movement, and anti-forensics. VoidLink has advanced stealth mechanisms. These help it avoid detection and removal. It can also detect security software and evade it. The command-and-control (C2) server can provide plugins to exploit specific vulnerabilities found in the target environment. Another interesting feature of VoidLink is its role-based access control (RBAC). It has three roles: SuperAdmin, Operator, and Viewer. This suggests that the developers planned for oversight. There are also signs of a main implant for Windows that can load plugins via DLL side-loading.