A previously undocumented threat cluster called UAT-10362 has targeted Taiwanese NGOs and suspected universities in spear-phishing campaigns that delivered a new Lua-based malware family, LucidRook, according to a technical analysis from Cisco Talos.
KEY FACTS
- Targets Taiwanese NGOs and suspected universities
- Payload LucidRook, a Lua-based malware stager
- Delivery RAR and 7-Zip archives used as lures
- Technique DLL side-loading used in both infection chains
- Timing Activity was discovered in October 2025
The report says the attackers used at least two infection chains. One used a Windows Shortcut file with a PDF icon, while another used an executable that posed as a Trend Micro antivirus cleanup tool.
In the LNK-based chain, a click on the file triggered a PowerShell script that launched a legitimate Windows binary in the archive. That binary then sideloaded a malicious DLL identified as LucidPawn, which in turn loaded LucidRook.
The second chain relied on a file named Cleanup.exe inside a 7-Zip archive. Once launched, it behaved as a .NET dropper, displayed a message saying the cleanup process had completed, and used DLL side-loading to run LucidRook.
LucidRook is described as a 64-bit Windows DLL with heavy obfuscation. It collects system information, sends it to an external server, and then receives encrypted Lua bytecode that it decrypts and executes using an embedded Lua 5.4.8 interpreter.
The disclosure says both campaigns relied on compromised FTP servers and an out-of-band application security testing service for command and control infrastructure. LucidPawn also checks the system UI language and continues only on Traditional Chinese systems associated with Taiwan.
In at least one case, the dropper also deployed LucidKnight, another 64-bit DLL that exfiltrates system information through Gmail to a temporary email address. The report says that suggests a layered toolkit that may be used to profile targets before more active malware is delivered.
WHY IT MATTERS
The campaign shows how targeted intrusions can combine archive-based phishing, DLL side-loading, geofencing and public or compromised infrastructure to hide activity and limit exposure. The case also shows that the operators behind UAT-10362 remain largely unknown, even as their tooling appears tailored for selective targeting.