Cisco Talos assesses that this threat actor is proficient in Chinese based on the framework\'s language, code comments, and code planning conducted in the AI-enabled IDE. We also assess with medium confidence that they have been active since at least 2019, not necessarily using VoidLink.

VoidLink development appears to be a more recent addition, using a large language model (LLM)- based integrated development environment (IDE). However, in both its compromise and post-compromise operations, UAT-9921 does not appear to use AI-enabled tools. 

Cisco Talos determined that the operators deploying VoidLink have access to the source code for some modules and tools to interact with the implants without C2. This indicates an inner knowledge of the implants\' communication protocols.

While the development of VoidLink appears to be split into teams, it is unclear what level of compartmentalization exists between development and operations. We do know that UAT-9921 operators have access to the VoidLink source code for kernel modules, as well as tools that enable interaction with the implant without C2.

Talos assesses with high confidence that UAT-9921 compromises servers by using pre-obtained credentials or exploiting Java serialization vulnerabilities that allow remote code execution, specifically in the Apache Dubbo project. We also found indications of possible initial compromise via malicious documents, but no samples were obtained.

In their post-compromise activities, UAT-9921 deploys the VoidLink implant. This allows the threat actor to hide their presence and the VoidLink C2, once deployed.

To find new targets and enable lateral movement, UAT-9921 deploys a SOCKS server on its compromised servers, which FSCAN uses for internal reconnaissance.

Regarding victimology, UAT-9921 appears to focus on the technology sector, but we have also seen victims from financial services. However, the cloud-aware nature of VoidLink and scanning of entire Class C networks indicates that there is no specific targeting.

Given VoidLink’s auditability and oversight features, it is worth noting that, even though UAT-9921 activity involves the use of exploits and pre-obtained credentials, Talos cannot rule out the possibility that this activity is part of red team exercises.