""This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity," researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. "UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network.""
""VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It's assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm called spec-driven development. In another analysis published earlier this week,""
UAT-9921 has been active since 2019 and uses compromised hosts to install VoidLink command-and-control (C2) servers that conduct scanning activities both internal and external to victim networks. VoidLink is a modular framework written in Zig designed for stealthy, long-term access to Linux-based cloud environments and can include kernel-level rootkits and cloud-targeting features. Development shows assistance from a large language model and a spec-driven paradigm, lowering the skill barrier for producing sophisticated implants. The group appears to have Chinese-language knowledge, with development split across teams and operators holding source-level access to some kernel modules and tools to interact with implants without C2.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]