**Cisco Talos** researchers have uncovered a targeted campaign against Taiwanese non-governmental organizations (NGOs) and universities, attributing the activity to a previously undocumented threat cluster they've named **UAT-10362**. The attacks involve the deployment of a new Lua-based malware called **LucidRook**. ### LucidRook: A Sophisticated Malware Stager According to **Ashley Shen**, a researcher at Cisco Talos, "LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads." The malware utilizes advanced obfuscation techniques to evade detection and analysis. Talos discovered this activity in October 2025, noting that the attacks utilize RAR or 7-Zip archives as lures to deliver a dropper called **LucidPawn**, which then opens a decoy file and launches LucidRook. A key characteristic of this intrusion set is its reliance on DLL side-loading to execute both LucidPawn and LucidRook. ### Infection Chains: LNK Files and Fake Antivirus There are two primary infection chains observed leading to LucidRook: * **LNK-based infection chain:** This method involves a Windows Shortcut (LNK) file disguised with a PDF icon. When clicked, the LNK file executes a PowerShell script that runs a legitimate Windows binary (`index.exe`) present in the archive. This binary then side-loads the malicious DLL (LucidPawn), which, in turn, uses DLL side-loading to execute LucidRook. * **EXE-based infection chain:** This method uses an executable that masquerades as an antivirus program from **Trend Micro** (`Cleanup.exe`). When launched, it acts as a .NET dropper that employs DLL side-loading to run LucidRook. Upon execution, the binary displays a message claiming that the cleanup process has completed.  ### Technical Details of LucidRook LucidRook is a 64-bit Windows DLL that is heavily obfuscated to hinder analysis and detection. Its core functionalities include: * **System Information Gathering:** Collecting system information and exfiltrating it to an external server. * **Lua Payload Execution:** Receiving an encrypted Lua bytecode payload, decrypting it, and executing it using the embedded Lua 5.4.8 interpreter. Talos also noted that the threat actors abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure. ### Geofencing and Reconnaissance LucidPawn incorporates a geofencing technique that checks the system UI language. It only continues execution if the language matches Traditional Chinese environments associated with Taiwan ("zh-TW"). This limits the scope of the attack to the intended victims and helps avoid detection in common analysis sandboxes. Additionally, one variant of the dropper deploys a 64-bit Windows DLL named **LucidKnight**, which can exfiltrate system information via Gmail to a temporary email address. The presence of this reconnaissance tool suggests that the adversary may be using it to profile targets before deploying LucidRook. ### UAT-10362: A Sophisticated Threat Actor While much remains unknown about UAT-10362, it is evident that they are a sophisticated threat actor conducting targeted campaigns with a focus on flexibility, stealth, and victim-specific tasking. Talos concludes that the multi-language modular design, layered anti-analysis features, stealth-focused payload handling, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft.