UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns
تهديد جديد: UAT-10362 كيستهدف الجمعيات غير الحكومية فتايوان ببرنامج خبيث جديد سميتو "LucidRook"
Emerging Threat: UAT-10362 Targets Taiwanese NGOs with New "LucidRook" Malware
TL;DR
A newly discovered threat cluster, UAT-10362, is targeting Taiwanese NGOs and universities using spear-phishing campaigns. The attackers deploy a sophisticated Lua-based stager called LucidRook through multi-stage infection chains involving DLL side-loading, geofencing, and compromised C2 infrastructure.
A sophisticated, previously undocumented threat actor is currently focusing its efforts on Taiwan’s non-governmental organizations (NGOs) and academic institutions. Dubbed UAT-10362 by researchers at Cisco Talos, this cluster utilizes a bespoke toolkit designed for stealth, precision, and geographical targeting.
The campaign, first detected in October 2025, centers around the deployment of a new malware family titled LucidRook, a modular stager that blends multiple programming languages to evade traditional security detections.
The LucidRook Malware Architecture
According to Cisco Talos researcher Ashley Shen, LucidRook is a 64-bit Windows DLL that functions as a sophisticated stager. Its architecture is notably complex, embedding a Lua 5.4.8 interpreter and libraries compiled in Rust within the DLL.
The malware’s primary objectives are:
- System Reconnaissance: Collecting host information for exfiltration.
- Payload Execution: Downloading encrypted Lua bytecode from a command-and-control (C2) server and executing it directly in memory using the embedded interpreter.
To hinder forensic investigation, the binary is heavily obfuscated, making it difficult for automated sandboxes and human analysts to parse its logic.
Two Paths to Compromise: Multi-Vector Infection Chains
UAT-10362 employs spear-phishing emails containing RAR or 7-Zip archives. Once a victim opens the archive, the attack proceeds via one of two distinct infection chains, both of which rely on DLL side-loading—a technique where a legitimate application is used to load a malicious library.
1. The LNK-Based Chain
In this scenario, the archive contains a Windows Shortcut (LNK) file masquerading as a PDF document.
- Execution: Clicking the LNK triggers a PowerShell script.
- Sideloading: The script runs a legitimate Windows binary (
index.exe) included in the archive, which side-loads a dropper called LucidPawn. - Final Stage: LucidPawn uses a second round of DLL side-loading to launch the LucidRook stager.
2. The EXE-Based Chain
The second method involves an executable (Cleanup.exe) that poses as a legitimate antivirus utility from Trend Micro.
- Execution: When launched, the .NET-based dropper displays a decoy message to the user claiming the "cleanup process" is complete.
- Sideloading: Behind the scenes, the dropper side-loads LucidRook directly.
Advanced Evasion and Geofencing: "zh-TW" Only
A standout feature of the LucidPawn dropper is its use of geofencing to ensure it only infects targets in the intended region. The malware queries the system’s UI language; if the environment does not match Traditional Chinese (zh-TW)—the language primarily used in Taiwan—the execution terminates.
This tactic serves two purposes: it ensures the malware only hits relevant targets and prevents security researchers in other regions from successfully detonating the payload in automated analysis environments.
The Toolkit: LucidKnight and C2 Infrastructure
UAT-10362 appears to operate a tiered toolkit. Researchers identified a secondary 64-bit DLL named LucidKnight, which is designed specifically to exfiltrate system information via Gmail to temporary email addresses. The presence of LucidKnight suggests the actors may use it for initial reconnaissance to profile a target before deciding to deploy the more advanced LucidRook stager.
The threat actor’s infrastructure is equally agile, utilizing:
- Compromised FTP Servers: Used for C2 communications.
- OAST Services: Abuse of Out-of-band Application Security Testing services.
- Public Infrastructure: Leveraging legitimate services like Gmail to blend in with normal network traffic.
Conclusion
While the identity and origin of UAT-10362 remain unclear, their operational tradecraft suggests a high level of maturity. By combining modular design, multi-language malware (Lua, Rust, .NET), and victim-specific geofencing, they have created a highly effective pipeline for targeting sensitive organizations in Taiwan.
As Talos noted, the actor's reliance on stealth and compromised infrastructure indicates these campaigns are highly targeted rather than opportunistic, marking UAT-10362 as a significant threat to the NGO and educational sectors in the region.
