UAT-10362’s LucidRook Malware: A New Threat to Taiwanese NGOs
In a recent cybersecurity development, a previously unidentified threat group, designated as UAT-10362, has been implicated in spear-phishing attacks targeting non-governmental organizations (NGOs) and possibly academic institutions in Taiwan. These campaigns aim to deploy a novel Lua-based malware known as LucidRook.
LucidRook is a sophisticated stager that integrates a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL). This design enables it to download and execute staged Lua bytecode payloads, enhancing its adaptability and stealth. Cisco Talos researcher Ashley Shen highlighted the malware’s complexity, noting its advanced capabilities in evading detection and executing malicious code.
The initial detection of this activity occurred in October 2025. The attackers utilized RAR or 7-Zip archive files as lures to deliver a dropper named LucidPawn. Upon execution, LucidPawn opens a decoy file to distract the user while simultaneously launching LucidRook. A distinctive feature of this attack sequence is the use of DLL side-loading to execute both LucidPawn and LucidRook, a technique that leverages legitimate applications to run malicious code, thereby evading security measures.
The infection process follows two primary pathways:
1. LNK-Based Infection Chain: The user is tricked into clicking a Windows Shortcut (LNK) file disguised with a PDF icon. This action triggers a PowerShell script that runs a legitimate Windows binary (index.exe) included in the archive. This binary then side-loads a malicious DLL (LucidPawn), which, in turn, employs DLL side-loading to execute LucidRook.
2. EXE-Based Infection Chain: The user is deceived into launching an executable (Cleanup.exe) within a 7-Zip archive, masquerading as a Trend Micro antivirus program. This executable acts as a .NET dropper that uses DLL side-loading to run LucidRook. Upon execution, it displays a message indicating that the cleanup process has completed, adding a layer of deception.
LucidRook, a 64-bit Windows DLL, is heavily obfuscated to hinder analysis and detection. Its primary functions include collecting system information and transmitting it to an external server. Additionally, it receives encrypted Lua bytecode payloads, which it decrypts and executes on the compromised machine using the embedded Lua 5.4.8 interpreter.
The attackers have also exploited Out-of-band Application Security Testing (OAST) services and compromised FTP servers for command-and-control (C2) infrastructure. This approach allows them to maintain control over the infected systems while minimizing the risk of detection.
A notable aspect of LucidPawn is its implementation of geofencing techniques. It checks the system’s UI language and proceeds with execution only if it matches Traditional Chinese settings associated with Taiwan (zh-TW). This strategy serves a dual purpose: it ensures that the malware operates exclusively within the intended geographic region and reduces the likelihood of detection in common analysis environments.
Further analysis has revealed that some variants of the dropper deploy an additional 64-bit Windows DLL named LucidKnight. LucidKnight is capable of exfiltrating system information via Gmail to a temporary email address. The presence of both LucidKnight and LucidRook suggests that UAT-10362 employs a tiered toolkit, potentially using LucidKnight for initial reconnaissance before deploying LucidRook for more advanced operations.
While detailed information about UAT-10362 remains limited, current evidence indicates that it is a sophisticated threat actor focusing on targeted attacks rather than opportunistic ones. The group’s emphasis on flexibility, stealth, and victim-specific strategies underscores its advanced operational capabilities.
The multi-language modular design, layered anti-analysis features, and reliance on compromised or public infrastructure highlight UAT-10362’s mature operational tradecraft. These characteristics make it a formidable adversary in the cybersecurity landscape.
