A beforehand undocumented menace cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns concentrating on Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a brand new Lua-based malware known as LucidRook.
“LucidRook is a complicated stager that embeds a Lua interpreter and Rust-compiled libraries inside a dynamic-link library (DLL) to obtain and execute staged Lua bytecode payloads,” Cisco Talos researcher Ashley Shen stated.
The cybersecurity firm stated it found the exercise in October 2025, with the assault utilizing RAR or 7-Zip archives lures to ship a dropper known as LucidPawn, which then opens a decoy file and launches LucidRook. A notable attribute of the intrusion set is using DLL side-loading to execute each LucidPawn and LucidRook.
There are two distinct an infection chains that result in LucidRook, one utilizing a Home windows Shortcut (LNK) file with a PDF icon and one other involving an executable that masquerades as an antivirus program from Pattern Micro. The whole sequence is listed under –
- LNK-based an infection chain – When the consumer clicks the LNK file, assuming it is a PDF doc, it executes a PowerShell script to run a reputable Home windows binary (“index.exe”) current within the archive, which then sideloads a malicious DLL (i.e., LucidPawn). The dropper, for its half, as soon as once more employs DLL side-loading to run LucidRook.
- EXE-based an infection chain – When the purported Pattern Micro program (“Cleanup.exe”) inside the 7-Zip archive is launched, it acts as a easy .NET dropper that employs DLL side-loading to run LucidRook. Upon execution, the binary shows a message stating the cleanup course of has accomplished.
A 64-bit Home windows DLL, LucidRook, is closely obfuscated to discourage evaluation and detection. Its performance is two-pronged: it collects system info and exfiltrates it to an exterior server, after which receives an encrypted Lua bytecode payload for subsequent decryption and execution on the compromised machine utilizing the embedded Lua 5.4.8 interpreter.
“In each circumstances, the actor abused an Out-of-band Utility Safety Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure,” Talos stated.
LucidPawn additionally implements a geofencing approach that particularly queries the system UI language and continues execution provided that it matches Conventional Chinese language environments related to Taiwan (“zh-TW”). This gives two-fold benefits, because it limits execution to the meant sufferer geography and avoids getting flagged in widespread evaluation sandboxes.
Moreover, at the least one variant of the dropper has been discovered to deploy a 64-bit Home windows DLL named LucidKnight that is able to exfiltrating system info through Gmail to a short lived e mail handle. The presence of the reconnaissance instrument alongside LucidRook suggests the adversary operates a tiered toolkit, doubtlessly utilizing LucidKnight to profile targets earlier than delivering the LucidRook stager.
Not a lot is thought about UAT-10362 at this stage aside from the truth that it is seemingly a complicated menace actor whose campaigns are focused reasonably than opportunistic, whereas prioritizing flexibility, stealth, and victim-specific tasking.
“The multi-language modular design, layered anti-analysis options, stealth-focused payload dealing with of the malware, and reliance on compromised or public infrastructure point out UAT-10362 is a succesful menace actor with mature operational tradecraft,” Talos stated.
