A newly identified cyber espionage campaign is targeting organizations in Taiwan, highlighting the growing sophistication of threat actors in the cybertech ecosystem. Researchers from Cisco Talos have uncovered activity linked to a previously undocumented group known as UAT-10362, which is deploying a Lua based malware called LucidRook through targeted spear phishing attacks.
The UAT-10362 LucidRook malware campaign focuses primarily on Taiwanese non governmental organizations and suspected academic institutions. The attackers use carefully crafted phishing emails containing RAR or 7 Zip archives that deliver a dropper named LucidPawn. Once executed, the dropper launches LucidRook while presenting a decoy file to avoid raising suspicion.
According to Cisco Talos researcher Ashley Shen, “LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads.” This design allows the malware to dynamically load and execute additional components, making detection and analysis more difficult.
The attack relies heavily on DLL side loading techniques to execute malicious code while appearing legitimate. Two primary infection chains have been identified. In one scenario, a Windows shortcut file disguised as a PDF triggers a PowerShell script that loads a legitimate executable, which then sideloads the LucidPawn dropper. In another method, a fake antivirus application impersonating Trend Micro is used to execute the same payload through a .NET based dropper.
Once deployed, LucidRook performs system reconnaissance and exfiltrates data to external servers. It then retrieves encrypted Lua based payloads, decrypts them, and executes them directly in memory using an embedded interpreter. This modular architecture enables attackers to adapt their operations based on the target environment.
The campaign also incorporates advanced evasion techniques. LucidPawn includes geofencing functionality that checks the system language and proceeds only if it matches Traditional Chinese settings associated with Taiwan. This helps attackers avoid detection in automated analysis environments while ensuring the malware is executed only on intended targets.
Researchers also identified a related tool, LucidKnight, which can exfiltrate system data via Gmail to temporary email accounts. This suggests the attackers are using a layered toolkit, potentially conducting reconnaissance before deploying more advanced payloads like LucidRook.
The UAT-10362 LucidRook malware campaign uses a mix of compromised FTP servers and public infrastructure for command and control operations, along with out of band application security testing services. These tactics, combined with heavy obfuscation and modular design, indicate a mature and well resourced threat actor.
Cisco Talos noted that the group demonstrates strong operational discipline, with a focus on stealth, flexibility, and targeted execution rather than broad opportunistic attacks. The campaign underscores the increasing risks faced by NGOs and academic institutions, which are often targeted for sensitive data and geopolitical intelligence.
The UAT-10362 LucidRook malware campaign reflects a broader trend of highly targeted cyber operations leveraging advanced techniques to evade detection and maintain persistence. As threat actors continue to refine their methods, organizations must strengthen email security, monitor for unusual system behavior, and implement layered defenses to mitigate such sophisticated attacks.
Recommended Cyber Technology News:
- A2A Protocol Hits 150 Organizations with Enterprise Cloud Growth
- Intruder Launches Container Image Scanning for Cloud Security
- Single Code Line Jailbreaks ChatGPT, Claude, Gemini
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
