A previously undocumented threat cluster identified as UAT-10362 has been linked to ongoing spear phishing campaigns targeting Taiwanese non governmental organizations and suspected universities. The activity involves the deployment of a newly identified Lua based malware family known as LucidRook. According to Cisco Talos researcher Ashley Shen, the malware operates as a sophisticated staging component that integrates a Lua interpreter alongside Rust compiled libraries within a dynamic link library file, enabling it to download and execute staged Lua bytecode payloads on compromised systems.
Security researchers first observed this activity in October 2025, where attackers used compressed archive files such as RAR and 7 Zip as initial delivery mechanisms. These archives contained a dropper component named LucidPawn, which is responsible for launching decoy files while initiating the infection chain. A defining feature of the attack is the use of DLL side loading, a technique where legitimate Windows binaries are exploited to load malicious DLL files. This method is used consistently across both LucidPawn and LucidRook to execute malicious functionality while reducing detection risk.
The infection process follows two primary pathways designed to maximize success depending on user interaction. In the first LNK based chain, victims are presented with a file disguised as a PDF through a Windows shortcut file. When the user clicks the shortcut, it triggers a PowerShell script that executes a legitimate Windows binary named index.exe from within the archive. This binary then performs DLL side loading to load LucidPawn, which in turn uses similar techniques to execute LucidRook. In the second executable based chain, a file named Cleanup.exe is disguised as an antivirus utility from Trend Micro and distributed inside a 7 Zip archive. Once executed, it functions as a .NET dropper that also uses DLL side loading to launch LucidRook, while displaying a message indicating that a cleanup process has been completed.
LucidRook itself is a 64 bit Windows DLL that is heavily obfuscated to hinder analysis and detection efforts. Its operational design is divided into two main functions. First, it collects system information from the compromised host and transmits it to an external server. Second, it receives encrypted Lua bytecode payloads that are decrypted and executed locally using an embedded Lua 5.4.8 interpreter. Researchers noted that the operators of this malware have also leveraged out of band application security testing services and compromised FTP infrastructure as part of their command and control setup. In addition, a geofencing mechanism is implemented through LucidPawn, which checks the system UI language and continues execution only if it matches Traditional Chinese language settings associated with Taiwan.
Further analysis revealed the presence of an additional tool known as LucidKnight, a 64 bit Windows DLL used in some variants of the campaign. This component is capable of exfiltrating system information through Gmail by using temporary email accounts, suggesting that it is used for reconnaissance prior to deploying LucidRook. The combination of these tools indicates a structured operational approach where targets are profiled before full malware deployment. Cisco Talos described UAT-10362 as a capable threat actor employing layered tooling, anti analysis techniques, and compromised infrastructure to maintain stealth and operational flexibility while focusing on targeted victim environments rather than broad distribution campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
