Executive Summary

A newly identified threat actor, UAT-9921, has launched a sophisticated campaign leveraging the modular VoidLink malware framework to target organizations in the technology and financial sectors. This campaign, first observed in September 2025, demonstrates advanced capabilities in cloud-native environments, with a focus on Linux-based infrastructure, Kubernetes, and Docker. VoidLink is engineered for stealth, persistence, and lateral movement, utilizing a plugin-based architecture and advanced anti-forensics. The initial access vector is primarily through exploitation of Java serialization vulnerabilities in Apache Dubbo, as well as the use of compromised credentials. This advisory provides a comprehensive technical analysis, indicators of compromise, exploitation details, and actionable mitigation strategies to help organizations defend against this emerging threat.

Threat Actor Profile

UAT-9921 is an advanced, likely East Asian threat actor, as indicated by Chinese-language code comments and operational artifacts. The group has been active since at least 2019, with a marked increase in activity following the deployment of VoidLink in late 2025. UAT-9921 demonstrates a high degree of operational security, leveraging custom malware, cloud-native attack techniques, and a modular development approach. The actor’s targeting is opportunistic but shows a preference for high-value technology and financial services organizations, particularly those operating Linux-based cloud environments. The group’s tactics, techniques, and procedures (TTPs) align with those of advanced persistent threat (APT) actors, though no direct attribution to a known APT group has been established.

Technical Analysis of Malware/TTPs

VoidLink is a modular malware framework written primarily in ZigLang, with plugins in C and backend components in GoLang. The implant is designed for Linux systems and is highly cloud-aware, capable of detecting and interacting with Kubernetes and Docker APIs. The framework supports on-demand plugin compilation, allowing the attacker to tailor payloads for specific Linux distributions and kernel versions.

Key technical features include kernel-level rootkits (using eBPF and LKM techniques), container privilege escalation, sandbox escape, and dynamic evasion of endpoint detection and response (EDR) solutions. VoidLink employs advanced anti-forensics, including obfuscation, in-memory execution, and indicator removal on host. The command and control (C2) infrastructure supports both traditional and peer-to-peer (P2P) mesh communication, enabling implants to bypass network segmentation and egress controls.

Role-based access control (RBAC) is implemented within the framework, with distinct roles such as SuperAdmin, Operator, and Viewer, facilitating operational oversight and multi-operator campaigns. The malware’s plugin system allows for rapid deployment of new capabilities, such as internal network scanning (using the open-source Fscan tool), SOCKS proxying for lateral movement, and targeted exploitation of internal services.

Initial access is typically achieved via exploitation of Java serialization vulnerabilities in Apache Dubbo (notably CVE-2020-1948 and CVE-2019-17564), or through the use of pre-obtained credentials. Post-compromise, the attacker deploys the VoidLink implant, establishes C2, and begins internal reconnaissance and lateral movement. Persistence is maintained through rootkit installation and autostart mechanisms.

The following MITRE ATT&CK techniques have been observed in this campaign: Valid Accounts (T1078), Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), Implant Rootkit (T1014), Boot or Logon Autostart Execution (T1547), Obfuscated Files or Information (T1027), Indicator Removal on Host (T1070), Lateral Tool Transfer (T1570), and Peer-to-Peer Communication (T1092).

Exploitation in the Wild

Since September 2025, multiple organizations in the technology and financial sectors have been compromised by UAT-9921 using the VoidLink framework. The campaign is characterized by broad, non-specific scanning of Class C networks, indicating opportunistic targeting rather than bespoke attacks. Victims have reported unauthorized access to cloud infrastructure, lateral movement across containerized environments, and exfiltration of sensitive data.

The exploitation chain typically begins with the identification of vulnerable Apache Dubbo instances exposed to the internet. Upon successful exploitation, the attacker deploys the VoidLink implant, establishes C2, and leverages internal scanning and proxying to move laterally within the victim’s environment. The use of advanced rootkits and anti-forensics techniques has hindered detection and response efforts, allowing the attacker to maintain long-term access.

Victimology and Targeting

The primary targets of this campaign are organizations in the technology and financial services sectors, with a focus on those operating Linux-based cloud environments. Geographic targeting appears to be global, with no explicit country focus, though the use of Chinese-language artifacts suggests a possible East Asian nexus. Victims include cloud service providers, fintech companies, and enterprises with significant investments in containerized infrastructure. The opportunistic nature of the scanning and exploitation indicates that any organization with vulnerable Apache Dubbo instances or weak credential hygiene is at risk.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following mitigation strategies to defend against VoidLink and similar threats. Detection should be prioritized by deploying the latest Snort and ClamAV signatures for VoidLink (Snort2: 1:65915-1:65922, 1:65834-65842; Snort3: 1:65915-1:65922, 1:65834-65838, 1:310388-1:310389; ClamAV: Unix.Trojan.VoidLink-10059283). Patch management is critical: all Java-based services, especially Apache Dubbo, must be updated to versions 2.7.8, 2.6.9, or 2.5.10 or later to remediate known serialization vulnerabilities (CVE-2020-1948, CVE-2019-17564).

Credential hygiene should be enforced by auditing and rotating credentials for cloud and Linux systems, and by implementing multi-factor authentication where possible. Network segmentation and monitoring are essential: organizations should monitor for unauthorized SOCKS proxy activity, internal scanning (notably from Fscan), and unusual API calls in Kubernetes and Docker environments. Endpoint and network security solutions should be configured to detect and block rootkit installation attempts and lateral movement techniques.

Incident response teams should review logs for signs of obfuscated file creation, in-memory execution, and indicator removal on host. Regular threat hunting for the presence of VoidLink IOCs and anomalous peer-to-peer network traffic is recommended. Finally, organizations should maintain an up-to-date asset inventory and restrict exposure of management interfaces and sensitive services to the public internet.

References

The Hacker News: UAT-9921 Deploys VoidLink Malware, Cisco Talos: UAT-9921 leverages VoidLink, Check Point Research: VoidLink Framework, MITRE ATT&CK Framework, NVD: Apache Dubbo Vulnerabilities, Dubbo-deserialization PoC and details, Snort Rules for VoidLink, ClamAV Signature Database, Fscan GitHub

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.