A newly identified threat group, tracked as UAT-10362, has been linked to targeted spear-phishing attacks against organizations in Taiwan, including non-governmental organizations (NGOs) and likely academic institutions. The campaign introduces a previously unseen Lua-based malware named LucidRook.
According to research by Cisco Talos, LucidRook acts as an advanced staging tool. It combines a built-in Lua interpreter with Rust-based components inside a DLL file, allowing it to fetch and execute additional malicious Lua bytecode in later stages of the attack.
How the Attack Works
The activity was first observed in October 2025. Attackers rely on archive files, such as RAR and 7-Zip, to deliver a dropper known as LucidPawn. Once opened, the dropper displays a decoy document while silently deploying LucidRook in the background.
A key technique used throughout the campaign is DLL side-loading, which helps the malware run under the guise of legitimate applications.
Two Infection Methods Identified
Researchers observed two main attack chains used to deliver the payload:
1. LNK-based method
- Victims receive a shortcut file disguised as a PDF.
- Clicking it triggers a PowerShell script.
- The script runs a legitimate Windows executable (
index.exe) included in the archive. - That executable loads a malicious DLL (LucidPawn), which then installs LucidRook.
2. EXE-based method
- The archive contains a fake antivirus tool posing as a Trend Micro program (
Cleanup.exe). - When executed, it behaves like a simple .NET dropper.
- It uses DLL side-loading to deploy LucidRook.
- A fake message appears, claiming the system cleanup is complete.
What LucidRook Does
LucidRook is a heavily obfuscated 64-bit Windows DLL designed to avoid detection and analysis. Its main capabilities include:
- Collecting system information from infected machines
- Sending that data to external servers
- Receiving encrypted Lua payloads
- Decrypting and executing those payloads using an embedded Lua 5.4.8 interpreter
Stealth and Evasion Techniques
The attackers show a strong focus on stealth:
- They use compromised FTP servers and OAST-based services for command-and-control (C2).
- LucidPawn includes geofencing, checking if the system language is set to Traditional Chinese (
zh-TW). - If the system does not match the target region, the malware stops execution. This helps avoid detection in security sandboxes.
Additional Tool: LucidKnight
In some cases, another component called LucidKnight is deployed. This tool:
- Collects system data
- Sends it through Gmail to temporary email accounts
Its presence suggests a layered approach, where attackers first profile victims before launching more advanced payloads like LucidRook.
Threat Actor Assessment
While details about UAT-10362 remain limited, the campaign indicates a highly capable and focused adversary. The group appears to prioritize:
- Targeted operations over mass attacks
- Modular malware design
- Advanced evasion techniques
- Use of legitimate or compromised infrastructure
Overall, the operation reflects a mature level of planning and execution, pointing to a well-resourced threat actor with strong technical capabilities.