UAT-9921 is a threat actor attributed to CN, also known as UAT-9921, VoidLink Operator. This group is tracked in the Strobes VI threat intelligence database.

What vulnerabilities does UAT-9921 exploit?

Specific CVE exploitation data for UAT-9921 is being tracked. Check the Strobes VI threat actor profile for updates.

Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives

PoC for every finding

30+ tools orchestrated

Book a Demo Learn More

Setup in 5 minutesSOC 2 & ISO 27001

UAT-9921

Also known as: UAT-9921, VoidLink Operator

Exploited CVEs

Overview

UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).

Exploited Vulnerabilities

No exploited CVEs have been attributed to this threat actor yet.

Browse CVE Database