Full Report
A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook. "LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and
Analysis Summary
# Threat Actor: UAT-10362
## Attribution & Identity
UAT-10362 is a "previously undocumented" threat cluster first identified by Cisco Talos in October 2025. It is characterized as a sophisticated and capable actor with mature operational tradecraft. While no specific nation-state attribution is provided, the group’s focus on Taiwanese entities and the use of Traditional Chinese geofencing suggests a specific regional interest.
## Activity Summary
The group has been active since at least October 2025, conducting targeted spear-phishing campaigns. Recent operations involve the delivery of a multi-stage infection chain via RAR or 7-Zip archives to deploy a novel Lua-based malware family called LucidRook.
## Tactics, Techniques & Procedures
* **Spear-Phishing:** Initial access via archives (RAR/7-Zip) sent to specific targets.
* **DLL Side-Loading:** Extensively used to execute both LucidPawn and LucidRook by abusing legitimate binaries (e.g., "index.exe" and a purported Trend Micro binary).
* **Masquerading:** Using PDF icons for Windows Shortcut (LNK) files and disguising installers as Trend Micro antivirus software ("Cleanup.exe").
* **Geofencing:** Queries the system UI language to ensure it matches Traditional Chinese (`zh-TW`) before executing, avoiding analysis sandboxes.
* **Tiered Deployment:** Uses a reconnaissance tool (LucidKnight) to profile targets before delivering more advanced stagers.
* **Persistence/Execution:** Use of PowerShell scripts to initiate infection chains.
* **Obfuscation:** Malware is heavily obfuscated to deter static and dynamic analysis.
* **Abuse of Services:** Utilization of Out-of-band Application Security Testing (OAST) services for C2.
## Targeting
* **Sectors:** Non-governmental organizations (NGOs) and suspected universities.
* **Geography:** Taiwan.
* **Victims:** Specifically those using systems configured for Traditional Chinese (`zh-TW`).
## Tools & Infrastructure
* **Malware Families:**
* **LucidPawn:** A dropper used to facilitate the execution of the main stager.
* **LucidRook:** A sophisticated 64-bit Windows DLL stager embedding a Lua 5.4.8 interpreter and Rust-compiled libraries; executes encrypted Lua bytecode.
* **LucidKnight:** A reconnaissance DLL used for exfiltrating system info via Gmail.
* **Infrastructure:**
* **C2:** Compromised FTP servers.
* **Services:** OAST (Out-of-band Application Security Testing) services.
* **Email:** Temporary Gmail addresses used for data exfiltration.
## Implications
UAT-10362 represents a high-tier threat to the Taiwanese region. Their use of modular, multi-language malware (Lua, Rust, .NET) and layered anti-analysis techniques indicates a well-resourced developer. The strategic focus on NGOs and universities suggests the group is likely engaged in intelligence gathering or political espionage rather than financial gain.
## Mitigations
* **Execution Prevention:** Implement strict controls on LNK files and PowerShell execution, particularly those originating from archive formats.
* **Side-Loading Defense:** Monitor for unusual DLL loads by legitimate signed binaries, especially in non-standard directories.
* **Language-Based Detection:** While the actor uses geofencing to hide, organizations can monitor for "System UI Language" queries (GetSystemDefaultUILanguage) paired with immediate network call-outs.
* **Email Filtering:** Block or scrutinize archives (7z, RAR) from external sources, particularly those containing executable content or LNK files.
* **Service Monitoring:** Monitor for suspicious traffic to OAST domains and unusual FTP connections.