In a concerning development, cybersecurity researchers at Cisco Talos have uncovered a highly targeted spear-phishing campaign aimed at organizations in Taiwan. First identified in October 2025, the operation has been linked to a threat group known as UAT-10362, which is using deceptive tactics to distribute a sophisticated malware strain called LucidRook.
What makes this campaign particularly dangerous is how convincingly the attackers disguise their entry points. Victims receive emails sent through legitimate mail systems, making them appear trustworthy at first glance. These emails contain shortened links that lead to password-protected files, with the password cleverly included in the message itself—removing suspicion and encouraging interaction. Once opened, the files trigger a chain of events designed to quietly infiltrate the system.
The attackers rely on two primary techniques to execute their attack. In one approach, victims unknowingly click on hidden shortcut files buried within folders that appear harmless. This action launches a malicious dropper known as LucidPawn, while simultaneously displaying a decoy document—often a forged Taiwanese government notice—to distract the user. Behind the scenes, the malware embeds itself within standard Windows processes, making detection extremely difficult.
In the second method, the attackers take impersonation a step further by presenting a fake version of Trend Micro Worry-Free Business Security. The application looks legitimate, complete with branding and interface elements, but once executed, it installs LucidRook onto the system. To maintain the illusion, it even displays a reassuring “cleanup complete” message, leaving victims unaware of the compromise.
LucidRook itself is a powerful and flexible malware. It includes a built-in interpreter that allows attackers to send custom commands to infected systems in real time. These commands are executed in memory and quickly erased, leaving minimal traces behind. This level of stealth makes it extremely challenging for security teams to analyze or track the attacker’s activities.
Once inside a system, the malware begins collecting sensitive information, including system configurations, active processes, and user data. This information is encrypted and exfiltrated in a clever way—rather than using dedicated infrastructure, the attackers exploit publicly accessible FTP servers belonging to local Taiwanese printing companies. These servers had weak or exposed credentials, allowing attackers to quietly store stolen data without raising alarms.
Researchers also identified a related tool called LucidKnight, which operates alongside LucidRook. Unlike its counterpart, LucidKnight is lighter and focuses on gathering system data and sending it directly to attackers via a concealed Gmail account. This dual-tool strategy enhances the attackers’ ability to maintain persistence and expand their intelligence collection.
Overall, the campaign highlights a growing trend in cyberattacks where social engineering, trusted-looking tools, and legitimate infrastructure are combined to evade detection. The precision of the targeting and the level of sophistication suggest a well-organized operation with a clear objective: to remain hidden while extracting valuable data from specific organizations in Taiwan.
Recommended Cyber Technology News :
- Willis Launches End-to-End Risk Solution for Data Center Ecosystem
- Rubrik Strengthens Cyber Resilience for Google Workspace
- Data Breaches Hit ProxyCare, Oscar Health, AccentCare
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
