A previously undocumented threat cluster called UAT-10362 is believed to have originated from a spear-phishing campaign targeting non-governmental organizations (NGOs) and universities in Taiwan that led to the introduction of a new Lua-based malware called LucidRook.
“LucidRook is an advanced stager that embeds a Lua interpreter and a Rust-compiled library within a dynamic link library (DLL) to download and execute a staged Lua bytecode payload,” said Cisco Talos researcher Ashley Shen.
The cybersecurity firm said it discovered the activity in October 2025, using RAR or 7-Zip archives to lure in the delivery of a dropper called LucidPawn, which then opens a decoy file and launches LucidRook. A notable feature of the intrusion set is that it uses DLL sideloading to run both LucidPawn and LucidRook.
There are two infection chains leading to LucidRook. One uses a Windows Shortcut (LNK) file with a PDF icon, and the other uses an executable file disguised as a Trend Micro antivirus program. The entire sequence is shown below.
LNK-based infection chain – When a user clicks on an LNK file, assuming it is a PDF document, a PowerShell script is executed that executes a legitimate Windows binary (‘index.exe’) present in the archive and sideloads a malicious DLL (i.e., LucidPawn). The dropper again employs DLL sideloading to run LucidRook. EXE-based infection chain – When launched, the Trend Micro program (‘Cleanup.exe’) purportedly located within the 7-Zip archive acts as a simple .NET dropper that uses DLL sideloading to run LucidRook. Once run, the binary will display a message indicating that the cleanup process is complete.
The 64-bit Windows DLL, LucidRook, is highly obfuscated to thwart analysis and detection. There are two aspects to its functionality. It collects and leaks system information to an external server, then receives an encrypted Lua bytecode payload, which is then decrypted and executed on the compromised machine using the built-in Lua 5.4.8 interpreter.
“In both cases, the attackers exploited out-of-band application security testing (OAST) services to compromise the FTP servers of our command and control (C2) infrastructure,” Talos said.
LucidPawn also implements geofencing technology that specifically queries the system UI language and continues execution only if it matches the Traditional Chinese Environment (“zh-TW”) associated with Taiwan. This provides two benefits as it limits the execution to the target region of interest and avoids being flagged in the general analysis sandbox.
Additionally, at least one dropper variant has been found to deploy a 64-bit Windows DLL named LucidKnight that can leak system information to temporary email addresses via Gmail. The presence of reconnaissance tools alongside LucidRook suggests that the attackers may be operating a layered toolkit and using LucidKnight to profile targets before delivering the LucidRook stager.
At this stage, not much is known about UAT-10362 other than the fact that it is likely a sophisticated attacker conducting targeted rather than opportunistic campaigns, prioritizing flexibility, stealth, and victim-specific tasks.
“The multilingual modular design, layered anti-analysis capabilities, stealth-oriented malware payload processing, and reliance on compromised or public infrastructure indicate that UAT-10362 is a capable threat actor with mature operational techniques,” Talos said.
Source link
