Key Findings

• UAT-10362, a sophisticated threat actor, conducted targeted spear-phishing campaigns against Taiwanese NGOs and universities starting in October 2025

• LucidRook, a Lua-based malware stager, was delivered through password-protected RAR and 7-Zip archives with decryption passwords included in phishing emails

• Two distinct infection chains were identified: one using Windows Shortcut files and another using .NET executables masquerading as antivirus software

• Both chains employ DLL side-loading to execute malicious code, bypassing traditional detection methods

• The malware toolkit includes LucidPawn (dropper), LucidRook (stager), and LucidKnight (reconnaissance tool), indicating a modular, tiered approach

• Geofencing checks limit execution to Traditional Chinese environments, targeting Taiwan and Hong Kong specifically

• Command-and-control infrastructure relies on compromised FTP servers and OAST services to avoid attacker infrastructure exposure

Background

Cisco Talos identified LucidRook during investigation of phishing attacks aimed at Taiwanese institutions in October 2025. The emails appeared to originate from legitimate mail infrastructure, suggesting potential compromise or misuse of authorized sending capabilities. The phishing messages contained shortened URLs linking to password-protected archives with decryption passwords provided within the email body. Archives contained decoy documents impersonating government or security-related materials to distract victims during infection.

LNK-Based Infection Chain

When users opened what appeared to be PDF documents, they actually executed Windows Shortcut files. The LNK files triggered PowerShell scripts that ran legitimate Windows binaries like "index.exe" present in the archive. These trusted executables then sideloaded a malicious DLL called LucidPawn. The dropper subsequently used DLL sideloading again to launch LucidRook. To maintain persistence, the malware placed a malicious LNK file in the Windows Startup folder, ensuring execution upon system reboot. Throughout this process, decoy documents opened to mislead the user into thinking the operation completed successfully.

EXE-Based Infection Chain

The alternative infection method used .NET executables disguised as Trend Micro antivirus software, distributed within 7-Zip archives. When executed, these droppers decoded embedded Base64 payloads and deployed multiple files including a legitimate DISM executable, the LucidRook stager, and a Startup link for persistence. After dropping these components, the malware displayed a fake completion message to the victim. Like the LNK chain, this method abused DLL sideloading to execute malicious code through signed Windows binaries.

LucidRook Technical Architecture

LucidRook is a 64-bit Windows DLL combining a Lua 5.4.8 interpreter with Rust-compiled libraries into a single execution platform. Upon activation, the malware collects system data including usernames, running processes, and installed software. It then encrypts this information using RSA encryption and password-protected ZIP files before exfiltrating it to command-and-control servers. The malware downloads encrypted Lua bytecode payloads from its C2 over FTP, validates them, and executes them locally using the embedded Lua interpreter. This architecture allows operators to rapidly modify behavior per target without recompiling the core malware. The DLL contains thousands of functions and stripped components, making analysis extremely difficult.

Anti-Analysis and Obfuscation Techniques

The toolkit employs multiple layers of obfuscation to evade detection and complicate analysis. LucidRook uses multi-stage XOR encryption and complex address calculation tricks to hide strings throughout the code. Payloads are protected with different passwords and encryption keys per campaign. LucidPawn queries an OAST service at dnslog[.]ink to confirm infection without requiring dedicated attacker infrastructure. The dropper implements geofencing by checking Windows UI language settings and only executing on Traditional Chinese systems matching "zh-TW" localization. This geographic targeting serves dual purposes: it restricts execution to intended victims in Taiwan and Hong Kong while avoiding triggering alerts in common security sandboxes that typically use different language configurations.

Modular Toolkit Components

The LucidRook ecosystem demonstrates a tiered, modular approach to operations. LucidPawn acts as the initial dropper, delivering first-stage payloads while maintaining stealth through anti-analysis features. LucidRook serves as the main stager, establishing persistent access and enabling flexible payload delivery. LucidKnight functions as a reconnaissance tool that gathers system information, encrypts it, and exfiltrates data via Gmail SMTP by sending ZIP attachments disguised as "Sports Information Platform" messages. Researchers observed variants where LucidPawn deployed only LucidKnight without LucidRook, suggesting the actor uses different components based on mission requirements and target profiling.

Command-and-Control Infrastructure

UAT-10362 relies on compromised or publicly accessible infrastructure rather than dedicated servers. The group abuses FTP servers using stolen or exposed credentials, often targeting companies with known open upload services. This approach minimizes the actor's infrastructure footprint and makes attribution more difficult. Communication protocols use FTP for payload delivery and OAST services for infection confirmation, distributing command-and-control functions across multiple infrastructure types. The use of public services indicates operational sophistication and an understanding of how to maintain persistence while reducing detection risk.

Threat Actor Assessment

Cisco Talos assesses UAT-10362 as a capable, mature threat actor with sophisticated operational tradecraft. The campaigns are highly targeted rather than opportunistic, focusing on specific geographic regions and victim types. The multi-language modular design, layered anti-analysis features, and victim-specific payload handling demonstrate significant technical expertise. The actor prioritizes flexibility and stealth, with infrastructure choices and geofencing techniques designed to minimize detection while maximizing targeting precision. The reconnaissance phase using LucidKnight before deploying LucidRook suggests deliberate victim profiling and a structured attack methodology.

Sources

• https://securityaffairs.com/190598/security/uat-10362-linked-to-lucidrook-attacks-targeting-taiwan-based-institutions.html

• https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html

• https://www.facebook.com/thehackernews/posts/researchers-tracked-uat-10362-targeting-taiwan-via-phishingit-uses-dll-side-load/1339063654924881/