Q-Feeds logo

Products & Services

Solutions

Pricing

Company

About

Label with EU stars, 'Made in Europe' text.
~
Label with EU stars, 'Made in Europe' text.
~

Firewall integrations

9

Fortinet

Elevate the power of your Fortinet Fortigate Firewall using by adding our Intelligence.

9

Palo Alto

Palo Alto Firewalls can be hardened with our threat intelligence as well.

9

Sophos XGS

Enhance the Sophos XGS Firewall with our threat intelligence.

9

OPNsense

Enhance your OPNsense Firewall with our threat intelligence using the native plugin.

SIEM integrations

9

Splunk

Splunk is a great platform, but without the right Threat Intelligence it's just a log server. Try our threat intelligence today. 

9

Microsoft Sentinel

One of the most used SIEM solutions should be enriched with the right Intelligence. At Q-Feeds you're at the right place!

9

Other

Luckily there are many other SIEM vendors whom support 3rd party threat intelligence.

Threat Intelligence Portal

9

Darkweb Monitoring

Darkweb monitoring is one of our services, not only for threat intelligence but also for you most important assets.

9

Threat Lookup

With Threat Lookup you get full insights in our IOC database, including full MITRE ATT&K mapping.

9

External Attack Surface Management

A toolset to check your external facing assets exposed on the internet

9

Vulnerability Scanner

A comprehensive vulnerability scanner which can scan your infrastructure and web applications

9

Brand Protection

Protect your brand for look-a-likes and potential phishing attempts

Services

9

TAXII Feeds & Server Software

TAXII/STIX2.1 standard. Both in form of feeds and server software available

9

Implementation

Need help with implementations? No worries, we have a strong network of partners who are able to help you.

Solutions

9

Enrich my SIEM

Elevate the power of your SIEM solution using by adding our Intelligence.

9

Enrich my Firewall

Firewalls can be hardened with our threat intelligence as well.

9

Prevent phishing

Enhance your protection against phishing

9

Achieve compliancy

Achieve compliancy by correlating the best threat intelligence to your logs

Futuristic eye design with circuits and geometric shapes.

Company

9

About

Read here all about Q-Feeds

9

News and Updates

Cybersecurity news and updates about us

9

Publications

All of our media coverage in one place

9

Become a reseller

Strengthen your portfolio with our comprehensive reseller program

9

Partner locator

Find our certified partners here

9

Contact

For all your questions or inquiries

Neural network representation of a human brain

Support

9

My Account

Access your account and manage your licenses

9

Downloads & Manuals

On this page you find white papers and manuals

9

Knowledge base

Our knowledge base full of implementation instructions

9

Start for free

Start your cyber security intelligence journey here

Abstract geometric wireframe human head

UAT-9921 emerges as a new threat actor exploiting the VoidLink framework in recent campaigns

Feb 11, 2026 | Threat Intelligence Research

New Threat Actor UAT-9921 Exploits VoidLink Framework for Intrusions

TL;DR: Cisco Talos has identified a threat actor, UAT-9921, employing the newly developed VoidLink framework to carry out cyberattacks, primarily targeting Linux-based systems. The actor’s operations indicate activities dating back to 2019, leveraging both compromised credentials and known software vulnerabilities.

Cisco Talos has uncovered a new threat actor known as UAT-9921, utilizing the VoidLink modular framework to facilitate their cyber campaigns against technology and financial sectors. Initially active since 2019, UAT-9921 has demonstrated their capability to exploit vulnerabilities, particularly in Java serialization through the Apache Dubbo project, and utilize pre-obtained credentials for server compromises. While they are thought to utilize VoidLink predominantly in contemporary assaults, they may have previously operated with different tools.

VoidLink stands out due to its AI-enabled features, enabling on-demand compilation of plugins, creating a highly adaptable implant management framework tailored for Linux environments. UAT-9921 deploys the VoidLink C2 (command and control) system post-infection to conceal their activities and conduct internal reconnaissance through the installation of a SOCKS server integrated with FSCAN tools. This modular architecture echoes a worrying trend in cyber threats, showcasing shorter development cycles and easier adaptability, closely resembling other frameworks like Cobalt Strike and Manjusaka.

Why this matters: The emergence of UAT-9921 and the VoidLink framework signifies an advancing threat landscape where attackers can quickly assemble sophisticated tools, complicating detection and response for security teams. The focus on Linux systems, particularly in cloud and IoT environments, amplifies the risk, as these platforms underpin critical infrastructure.

Threat detection solutions such as SIEMs, with comprehensive monitoring capabilities, can assist defenders by identifying anomalous activities linked to the VoidLink framework. Regular vulnerability assessments and timely patching strategies are essential to mitigate the risks posed by exploits used by UAT-9921.

Indicators of Compromise (IOCs):

  • Snort Rules:
    • Snort2: 1:65915 – 1:65922, 1:65834-65842
    • Snort3: 1:65915 – 1:65922, 1:65834-65838, 1:310388-1:310389
  • ClamAV Signature:
    • Unix.Trojan.VoidLink-10059283

Click here for the full article

Try our Intelligence today!

Streamline your security operations with a free Q-Feeds trial and see the difference.

Activate free access

Other articles