UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns

UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns Ravie LakshmananApr 09, 2026Malware / Windows Security A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook. "LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads," Cisco Talos researcher Ashley Shen said. The cybersecurity company said it discovered the activity in October 2025, with the attack using RAR or 7-Zip archives lures to deliver a dropper called LucidPawn, which then opens a decoy file and launches LucidRook. A notable characteristic of the intrusion set is the use of DLL side-loading to execute both LucidPawn and LucidRook. There are two distinct infection chains that lead to LucidRook, one using a Windows Shortcut (LNK) file with a PDF icon and another involving an executable that masquerades as an antivirus program from Trend Micro. The entire sequence is listed below - LNK-based infection chain - When the user clicks the LNK file, assuming it's a PDF document, it executes a PowerShell script to run a legitimate Windows binary ("index.exe") present in the archive, which then sideloads a malicious DLL (i.e., LucidPawn). The dropper, for its part, once again employs DLL side-loading to run LucidRook. EXE-based infection chain - When the purported Trend Micro program ("Cleanup.exe") within the 7-Zip archive is launched, it acts as a simple .NET dropper that employs DLL side-loading to run LucidRook. Upon execution, the binary displays a message stating the cleanup process has completed. A 64-bit Windows DLL, LucidRook, is heavily obfuscated to deter analysis and detection. Its functionality is two-pronged: it collects system information and exfiltrates it to an external server, and then receives an encrypted Lua bytecode payload for subsequent decryption and execution on the compromised machine using the embedded Lua 5.4.8 interpreter. "In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure," Talos said. LucidPawn also implements a geofencing technique that specifically queries the system UI language and continues execution only if it matches Traditional Chinese environments associated with Taiwan ("zh-TW"). This offers two-fold advantages, as it limits execution to the intended victim geography and avoids getting flagged in common analysis sandboxes. Furthermore, at least one variant of the dropper has been found to deploy a 64-bit Windows DLL named LucidKnight that's capable of exfiltrating system information via Gmail to a temporary email address. The presence of the reconnaissance tool alongside LucidRook suggests the adversary operates a tiered toolkit, potentially using LucidKnight to profile targets before delivering the LucidRook stager.  Not much is known about UAT-10362 at this stage other than the fact that it's likely a sophisticated threat actor whose campaigns are targeted rather than opportunistic, while prioritizing flexibility, stealth, and victim-specific tasking. "The multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft," Talos said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, Cisco Talos, cybersecurity, Lua, Malware, Spear Phishing, Taiwan, Threat Intelligence, windows security Trending News Block the Prompt, Not the Work: The End of "Doctor No" Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats