A previously undocumented threat cluster, tracked by Cisco Talos as UAT-10362, has been linked to a targeted cyber‑espionage campaign against Taiwanese non‑governmental organizations and, likely, academic institutions. The operators rely on a new Lua‑based Windows malware family dubbed “LucidRook”, illustrating a broader trend: advanced threat actors are increasingly adopting less common programming languages to evade traditional detection and gain greater flexibility.
Targeted phishing campaign against Taiwanese NGOs and universities
Cisco Talos observed UAT-10362 activity beginning in October 2025. Unlike widespread, opportunistic phishing, this campaign focuses on a narrow set of carefully selected victims in Taiwan. Such precision targeting is typical of espionage‑oriented operations whose goal is long‑term data collection rather than rapid financial gain.
The intrusion begins with phishing emails containing RAR or 7‑Zip archives. Inside the archive is the LucidPawn loader, which initiates the infection chain while simultaneously opening a decoy document. This dual action is designed to reassure the recipient that a legitimate file has been opened, reducing the likelihood of suspicion or manual reporting to security teams.
Infection chain: DLL side-loading and masquerading as legitimate software
DLL side-loading as a key stealth technique
A central technique in this campaign is DLL side‑loading. In this method, the attackers place a malicious DLL in the same directory as a trusted executable. When Windows launches the application, it loads the attacker’s DLL instead of the genuine one, because of how the operating system resolves library paths. This allows the malware to run under the guise of a legitimate process, bypassing many security controls that focus on scanning or blocking unknown executables.
UAT-10362 leverages DLL side‑loading to execute both LucidPawn and the main LucidRook payload. According to industry reports such as the Verizon Data Breach Investigations Report and ENISA Threat Landscape, misuse of trusted binaries and side‑loading techniques has become a common way to evade endpoint protection, and this campaign illustrates that trend in a highly refined form.
Researchers identified two primary infection branches, both culminating in LucidRook execution:
- A Windows shortcut (LNK) file with a PDF icon, luring users into believing they are opening a regular document.
- An executable that impersonates Trend Micro antivirus software, exploiting brand recognition to increase user trust and reduce the chance of security staff immediately flagging the process.
LucidRook: Lua-based modular stager with Rust components
The core of the operation is LucidRook, a heavily obfuscated 64‑bit DLL that embeds a Lua 5.4.8 interpreter and multiple supporting libraries compiled in Rust. This multi‑language design separates the stable “framework” from the functionality, which is delivered later as Lua bytecode modules.
After execution, LucidRook performs system reconnaissance, collecting information about the operating system version, hardware, configuration, and network environment. These details are exfiltrated to the attackers’ command‑and‑control (C2) infrastructure, which then responds with encrypted Lua bytecode. LucidRook decrypts and runs this bytecode via its embedded interpreter, enabling the operators to:
- Continuously adapt malware capabilities without changing the main binary.
- Deploy custom modules per victim, for example for document theft or credential harvesting.
- Reduce network footprint by transferring compact scripts rather than full executable payloads.
The C2 channel itself relies on a mix of compromised FTP servers and OAST (Out‑of‑band Application Security Testing) services. OAST platforms are typically used by penetration testers to capture callbacks from web applications during security assessments. By piggybacking on such infrastructure and hijacked FTP servers, UAT-10362 makes malicious traffic resemble legitimate security or administrative activity, complicating attribution and blocking.
Geofencing, anti-analysis and the LucidKnight reconnaissance module
The LucidPawn loader incorporates geofencing logic. Before proceeding, it inspects the system’s UI language and only continues if it matches the Traditional Chinese locale for Taiwan (“zh-TW”). This restricts spread outside the intended target region and lowers the chance of the malware being captured in global sandboxes or research environments, which are frequently configured for English or other major languages.
In addition to LucidRook, researchers discovered at least one loader variant that deploys another DLL, LucidKnight. Like LucidRook, LucidKnight collects host information, but it exfiltrates data via a Gmail account to a temporary mailbox, using email as a covert alternative C2 channel. This multi‑channel approach reduces dependency on a single infrastructure and complicates network‑based detection, since outbound connections to popular cloud email services are often broadly allowed.
The co‑installation of LucidRook and LucidKnight on the same hosts suggests a layered toolset. LucidKnight likely serves as a lightweight profiler to evaluate target value and persistence, while LucidRook acts as a flexible staging platform for deeper operations, including long‑term espionage, lateral movement, or stealing sensitive internal documents.
Taken together—DLL side‑loading, locale‑based geofencing, Lua bytecode staging, Rust‑backed modularity, and abuse of OAST, FTP, and Gmail—UAT-10362 demonstrates a mature operational playbook aligned with modern state‑aligned or state‑sponsored espionage tradecraft. For NGOs, universities, and other high‑value organizations in the region, effective defense requires more than basic antivirus. Security teams should strengthen attachment and archive inspection, restrict arbitrary DLL loading and validate application integrity, and deploy EDR/XDR solutions capable of correlating multi‑stage loader behavior and unusual network patterns. Equally important are regular phishing‑awareness programs and periodic reviews of access rights, so that even if an initial compromise occurs, the attacker’s ability to move laterally and extract critical data is sharply limited.
