A newly identified cyber threat cluster, UAT-10362, has been linked to targeted spear-phishing attacks aimed at organizations in Taiwan, including non-governmental organizations (NGOs) and academic institutions. The campaign deploys a previously unknown malware framework called LucidRook.
Security researchers from Cisco Talos revealed that the operation was first detected in October 2025 and demonstrates a high level of sophistication and targeted execution.
Multi-Stage Infection Strategy
The attack begins with phishing emails delivering malicious archives in RAR or 7-Zip formats. These files contain a dropper known as LucidPawn, which initiates the infection process by displaying a decoy document while silently executing malicious components in the background.
A key technique used in this campaign is DLL side-loading, which allows attackers to execute malicious code by abusing legitimate applications.
Two Distinct Attack Chains
The campaign employs two separate infection pathways:
LNK-Based Method
Victims are tricked into opening a Windows shortcut file disguised as a PDF. Once clicked, it triggers a PowerShell script that launches a legitimate system file. This file then loads a malicious DLL, executing LucidPawn, which subsequently deploys LucidRook.
EXE-Based Method
In this scenario, victims run an executable disguised as a legitimate antivirus tool from Trend Micro. The file acts as a dropper and uses DLL side-loading to install LucidRook while displaying a fake cleanup completion message.
LucidRook Malware Capabilities
LucidRook is a highly obfuscated malware designed to evade detection and analysis. It operates as a staging platform with two primary functions:
- Collecting detailed system information and transmitting it to external servers
- Downloading encrypted Lua-based payloads for execution on compromised systems
The malware embeds a Lua interpreter along with Rust-based components, enabling flexible and modular execution of additional malicious tasks.
Use of Public Infrastructure for Command-and-Control
The attackers rely on unconventional infrastructure for command-and-control operations. This includes the use of OAST services and compromised FTP servers, allowing them to blend malicious traffic with legitimate network activity and avoid detection.
Geofencing to Target Specific Victims
One of the notable features of this campaign is the use of geofencing techniques. The malware checks the system language and only activates if it matches Traditional Chinese settings associated with Taiwan.
This selective execution helps attackers:
- Focus on intended targets
- Avoid detection in global analysis environments
Additional Reconnaissance Tool: LucidKnight
Researchers also identified another malware component named LucidKnight, which appears to function as a reconnaissance tool.
This tool collects system data and exfiltrates it via email services, including temporary Gmail accounts. Its presence suggests that attackers may profile targets before deploying the full LucidRook payload.
Indicators of Advanced Threat Capabilities
The campaign exhibits several characteristics of a mature threat actor:
- Modular and multi-language malware design
- Advanced anti-analysis and obfuscation techniques
- Use of legitimate tools and infrastructure for stealth
- Highly targeted victim selection
These factors indicate that UAT-10362 is likely a well-resourced and strategic actor focused on intelligence gathering rather than opportunistic attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
