Full Report
Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”
Analysis Summary
# Threat Actor: UAT-10362
## Attribution & Identity
- **Name:** UAT-10362
- **Known Aliases:** None currently documented (newly identified cluster).
- **Identity/Associations:** A capable threat actor displaying mature operational tradecraft, modular malware design, and layered anti-analysis features. While no specific nation-state attribution is named, the focus on Taiwanese government policies and NGOs suggests a high level of regional interest.
## Activity Summary
Cisco Talos identified spear-phishing campaigns occurring around October 2025. The actor targeted Taiwanese NGOs and universities using themes related to government directives (e.g., travel regulations for teachers to China). These campaigns utilized password-protected archives to deliver two distinct infection chains, resulting in the deployment of the "LucidRook" malware family.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails containing shortened URLs leading to password-protected RAR/7z archives.
- **Evocation of Trust:** Use of authorized mail infrastructure to send emails and the inclusion of legitimate governmental decoy documents (Traditional Chinese).
- **Execution & Evasion:**
- Use of hidden directory structures (four levels deep) to evade analysis.
- Leveraging LOLBAS (Living-off-the-Land Binaries and Scripts) via the Pester PowerShell testing framework.
- DLL Search Order Hijacking of legitimate Windows binaries (e.g., `index.exe` from the DISM framework).
- Masquerading malicious files as legitimate software (e.g., `msedge.exe`).
- **Persistence:** Created LNK files in the Windows Startup folder.
- **Anti-Analysis:** Region-specific checks that only allow execution in Traditional Chinese language environments associated with Taiwan.
- **Exfiltration:** Use of Gmail for reconnaissance data exfiltration.
- **Communication:** Use of DNS beaconing and Out-of-band Application Security Testing (OAST) services.
**MITRE ATT&CK IDs:**
- T1566.002 (Phishing: Spearphishing Link)
- T1574.002 (Hijack Execution Flow: DLL Search Order Hijacking)
- T1218.011 (Signed Binary Proxy Execution: Rundll32/Pester-related LOLBAS)
- T1132.001 (Data Encoding: Standard Encoding)
- T1071.004 (Application Layer Protocol: DNS)
- T1564.001 (Hide Artifacts: Hidden Files and Directories)
## Targeting
- **Sectors:** Non-governmental organizations (NGOs), Higher Education (Universities).
- **Geography:** Taiwan.
- **Victims:** Specific Taiwanese NGOs and National University faculty (via targeted themes regarding travel to China).
## Tools & Infrastructure
- **Malware Families:**
- **LucidPawn:** A dropper used to sideload payloads and perform environment checks.
- **LucidRook:** A sophisticated Lua-based stager that embeds a Lua interpreter and Rust-compiled libraries.
- **LucidKnight:** A companion reconnaissance tool used for system profiling and information exfiltration.
- **Infrastructure:**
- **C2:** Compromised FTP servers and abused OAST services.
- **Domains:** `D.2fcc7078.digimg[.]store`.
- **IPs:** `1.34.253[.]131`, `59.124.71[.]242`.
- **Email accounts:** `fexopuboriw972[@]gmail.com`, `crimsonanabel[@]powerscrews.com`.
## Implications
UAT-10362 is a highly focused threat actor with a specific interest in the socio-political landscape of Taiwan. Their use of modular, language-specific malware and tiered toolsets (Reconnaissance followed by full Stage deployment) suggests they are a disciplined group aiming for long-term intelligence gathering rather than immediate financial gain.
## Mitigations
- **Email Security:** Implement robust scanning for shortened URLs and password-protected attachments; monitor for unauthorized mail sent via legitimate domains.
- **Host-Based Defense:** Monitor for unusual executions of `Build.bat` or Pester scripts. Implement DLL profiling to detect sideloading in system directories (`%APPDATA%`).
- **Network Defense:** Block known IOCs and monitor for DNS beaconing or unusual traffic to public FTP infrastructure.
- **User Training:** Educate personnel—specifically in administrative and academic roles—about the risk of phishing decoys referencing government travel policies and legal directives.