A new threat cluster known as UAT-10362 has been identified in spear-phishing campaigns targeting Taiwanese NGOs and suspected universities. This cluster is associated with a new Lua-based malware called LucidRook.
According to Cisco Talos researcher Ashley Shen, LucidRook is a sophisticated stager that includes a Lua interpreter and Rust-compiled libraries within a DLL to download and execute staged Lua bytecode payloads.
The attack was first discovered in October 2025, utilizing RAR or 7-Zip archives as lures to deliver a dropper named LucidPawn, which then opens a decoy file and launches LucidRook. The intrusion set is notable for its use of DLL side-loading to execute both LucidPawn and LucidRook.
There are two infection chains leading to LucidRook. One involves a Windows Shortcut (LNK) file with a PDF icon, while the other masquerades as an antivirus program from Trend Micro. Both chains utilize DLL side-loading to run LucidRook.
The 64-bit Windows DLL, LucidRook, is heavily obfuscated to avoid detection. It collects system information and sends it to an external server, then receives and executes encrypted Lua bytecode payloads using the embedded Lua interpreter.
Talos revealed that the actor behind this threat utilized an Out-of-band Application Security Testing service and compromised FTP servers for command-and-control infrastructure. LucidPawn employs a geofencing technique to execute only in Traditional Chinese environments associated with Taiwan, evading common analysis sandboxes.
Additionally, a variant of the dropper deploys a 64-bit Windows DLL named LucidKnight to exfiltrate system information via Gmail. The presence of LucidKnight alongside LucidRook suggests a tiered toolkit approach by the adversary.
UAT-10362 is believed to be a sophisticated threat actor focusing on targeted campaigns with flexibility, stealth, and victim-specific tasking. Talos described the actor as having mature operational tradecraft and advanced malware capabilities.
