{"id":553,"date":"2026-04-09T17:17:57","date_gmt":"2026-04-09T17:17:57","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=553"},"modified":"2026-04-09T17:17:57","modified_gmt":"2026-04-09T17:17:57","slug":"uat-10362-targets-taiwanese-ngos-with-lucidrook-malware-in-spear-phishing-campaigns","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=553","title":{"rendered":"UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 09, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Windows Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4smwzOHJUhoy2YQYZQpTIp9u5xk7vywCOtewG6WfLl1S3h1EO25k8GY6WSHovGYwTn4vo9uMFcoNX6XDa0-BC0mXJrTdSHtWGJDP1GIXqGvRnlqnqyPwzxxPFyjLx9yxEn1oeWs4r8fqq5xlS__yUA3nwf0DpZBiUh86FUx71PRBGbAP0gaNFAILqYgbT\/s1700-e365\/phish.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A previously undocumented threat cluster\u00a0dubbed <strong>UAT-10362<\/strong> has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook.<\/p>\n<p>\u00abLucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads,\u00bb Cisco Talos researcher Ashley\u00a0Shen <a href=\"https:\/\/blog.talosintelligence.com\/new-lua-based-malware-lucidrook\/\">said<\/a>.<\/p>\n<p>The cybersecurity company said it discovered the activity in October 2025, with the attack using RAR or 7-Zip archives lures to deliver a dropper called LucidPawn, which then opens a decoy file and launches LucidRook. A\u00a0notable characteristic of the intrusion set is the use of DLL side-loading to execute both LucidPawn and LucidRook.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>There are two distinct infection chains that\u00a0lead to LucidRook, one using a Windows Shortcut (LNK) file with a PDF icon and another involving an executable that masquerades as an antivirus program from Trend Micro. The\u00a0entire sequence is listed below\u00a0&#8211;<\/p>\n<ul>\n<li><strong>LNK-based infection chain<\/strong> &#8211; When the user clicks the LNK file, assuming it&#8217;s a PDF document, it executes a PowerShell script to run a legitimate Windows binary (\u00abindex.exe\u00bb) present in the archive, which then sideloads a malicious DLL (i.e., LucidPawn). The\u00a0dropper, for its part, once again employs DLL side-loading to run LucidRook.<\/li>\n<li><strong>EXE-based infection chain<\/strong> &#8211; When the purported Trend Micro program (\u00abCleanup.exe\u00bb) within the 7-Zip archive is launched, it acts as a simple .NET\u00a0dropper that employs DLL side-loading to run LucidRook. Upon\u00a0execution, the binary displays a message stating the cleanup process has completed.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlOZ1Y6eul7frMtpl43jmXtvrC-HUjm3gqgbsurXN5j0pADKPVGjJ_AGbf264NwipAZY6fODDzTAdI9eS70vGwQKkfbVdB9WuxSxpztoedGz_6w2J4F7JGkLTT0l5Nza4cOmKMH8a-k-DuSsMY6IjnOR5pLKnxad3Tcm2fkd72TeFF47e7uUEcE7gaM2ny\/s1700-e365\/lnk.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlOZ1Y6eul7frMtpl43jmXtvrC-HUjm3gqgbsurXN5j0pADKPVGjJ_AGbf264NwipAZY6fODDzTAdI9eS70vGwQKkfbVdB9WuxSxpztoedGz_6w2J4F7JGkLTT0l5Nza4cOmKMH8a-k-DuSsMY6IjnOR5pLKnxad3Tcm2fkd72TeFF47e7uUEcE7gaM2ny\/s1700-e365\/lnk.jpg\" alt=\"\" border=\"0\" data-original-height=\"683\" data-original-width=\"1000\"\/><\/a><\/div>\n<p>A 64-bit Windows DLL, LucidRook, is heavily obfuscated to deter analysis and detection. Its\u00a0functionality is two-pronged: it collects system information and exfiltrates it to an external server, and then receives an encrypted Lua bytecode payload for subsequent decryption and execution on the compromised machine using the embedded Lua 5.4.8\u00a0interpreter.<\/p>\n<p>\u00abIn both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure,\u00bb Talos\u00a0said.<\/p>\n<p>LucidPawn also implements a geofencing technique that specifically queries the system UI language and continues execution only if it matches Traditional Chinese environments associated with Taiwan (\u00abzh-TW\u00bb). This\u00a0offers two-fold advantages, as it limits execution to the intended victim geography and avoids getting flagged in common analysis sandboxes.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Furthermore, at least one variant of the dropper has been found to deploy a 64-bit Windows DLL named LucidKnight that&#8217;s capable of exfiltrating system information via Gmail to a temporary email address. The\u00a0presence of the reconnaissance tool alongside LucidRook suggests the adversary operates a tiered toolkit, potentially using LucidKnight to profile targets before delivering the LucidRook\u00a0stager.\u00a0<\/p>\n<p>Not\u00a0much is known about UAT-10362 at this stage other than the fact that it&#8217;s likely a sophisticated threat actor whose campaigns are targeted rather than opportunistic, while prioritizing flexibility, stealth, and victim-specific\u00a0tasking.<\/p>\n<p>\u00abThe multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft,\u00bb Talos\u00a0said.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 09, 2026Malware \/ Windows Security A previously undocumented threat cluster\u00a0dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a&hellip;<\/p>\n","protected":false},"author":1,"featured_media":554,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[693,1150,42,1149,947,1148,78,1147],"class_list":["post-553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-campaigns","tag-lucidrook","tag-malware","tag-ngos","tag-spearphishing","tag-taiwanese","tag-targets","tag-uat10362"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=553"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/553\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/554"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}