# Sophisticated UAT-10362 Threat Cluster Deploys Novel LucidRook Malware Against Taiwanese NGOs


A previously undocumented threat cluster designated UAT-10362 has emerged as a significant concern for organizations across Taiwan, targeting non-governmental organizations (NGOs) and academic institutions through carefully crafted spear-phishing campaigns. The threat actor behind these attacks distributes LucidRook, a newly identified Lua-based malware that employs advanced obfuscation and modular architecture to evade traditional detection methods and establish persistent access within targeted networks.


## The Threat


Security researchers tracking the campaign have identified LucidRook as a sophisticated stager—a malware variant designed to serve as an entry point for secondary payload deployment. What distinguishes LucidRook from conventional malware is its hybrid architecture: the malware embeds a Lua interpreter alongside Rust-compiled libraries within a standard Windows dynamic-link library (DLL) file. This combination enables the attacker to execute complex functionality while maintaining a relatively small footprint and reducing the likelihood of triggering security alerts.


The malware's primary function appears to be reconnaissance and staging—reconnaissance to gather information about the infected system and staging to prepare the environment for additional malicious payloads. Once executed, LucidRook can download additional tools, establish command-and-control (C2) communications, and facilitate lateral movement within compromised networks.


Key characteristics of the UAT-10362 campaign:

  • Attack Vector: Spear-phishing emails with weaponized attachments
  • Primary Targets: Taiwanese NGOs and universities
  • Malware Family: LucidRook (new, previously unattributed)
  • Delivery Method: Trojanized documents and archives
  • Evasion Techniques: Lua-based scripting, Rust compilation, DLL embedding

    • ## Background and Context


    The emergence of UAT-10362 reflects a growing trend among threat actors to target organizations in Taiwan and the broader Indo-Pacific region. Taiwanese NGOs and academic institutions have increasingly become high-value targets for state-sponsored and financially motivated cybercriminals alike, as these organizations often possess sensitive information related to governance, human rights, research, and international affairs without the robust security infrastructure of larger corporations or government entities.


    Spear-phishing remains the most effective initial access method for targeted campaigns. Unlike mass-distribution phishing attacks, spear-phishing campaigns are individually crafted with organizational intelligence, often impersonating trusted partners, vendors, or colleagues. The personalization dramatically increases the likelihood of a user opening malicious attachments or clicking links, making phishing a cost-effective entry point for sophisticated threat actors.


    The use of previously undocumented malware families like LucidRook provides attackers with a significant advantage—security vendors lack signatures and behavioral profiles to detect the threat, allowing the malware to operate undetected for extended periods. This "zero-day" advantage typically remains valid until the malware is publicly disclosed and analysis becomes available to the security community.


    ## Technical Details


    LucidRook's Architecture


    LucidRook's design demonstrates notable sophistication in its hybrid approach to code execution. By embedding a Lua interpreter—a lightweight, embeddable programming language—within a compiled DLL, the attacker gains several advantages:


    1. Language Flexibility: Lua is highly flexible and powerful, allowing complex logic without requiring multiple compiled binaries. Scripts can be modified without recompiling, simplifying distribution and updates.


    2. Obfuscation: Lua bytecode can be obfuscated, making static analysis more difficult for security researchers. The use of compiled Rust libraries alongside Lua adds additional layers of complexity.


    3. Reduced Signature Footprint: By embedding the interpreter rather than relying on system-wide Lua installations, the malware reduces the likelihood of triggering behavioral detection rules that monitor for unusual interpreter usage.


    4. Environmental Flexibility: The combination of Lua scripting and Rust-compiled libraries allows the malware to perform both high-level logic (reconnaissance, decision-making) and low-level system operations (registry manipulation, process injection) without raising suspicion.


    The DLL wrapper serves as the initial loader, executing upon system startup or through document macro execution, activating the embedded Lua interpreter, which then bootstraps the attack workflow.


    Attack Chain


    The typical infection sequence appears to follow this progression:


    | Stage | Action | Purpose |

    |-------|--------|---------|

    | 1. Delivery | Spear-phishing email with malicious attachment | Initial compromise |

    | 2. Execution | Attachment downloaded and opened | Malware execution trigger |

    | 3. Staging | LucidRook DLL loaded and executed | Establish foothold |

    | 4. Reconnaissance | System enumeration via Lua scripts | Gather target information |

    | 5. C2 Communication | Contact attacker infrastructure | Receive further instructions |

    | 6. Secondary Payload | Download additional malware | Establish persistence or conduct operations |


    ## Implications for Organizations


    The UAT-10362 campaign presents significant risks to targeted organizations, with implications extending beyond the immediate infection:


    Data Exposure: NGOs and academic institutions often maintain sensitive information about dissidents, activists, research projects, and organizational strategies. Compromise of these networks could expose individuals to personal risk and compromise ongoing investigations or projects.


    Operational Disruption: Secondary payloads deployed through LucidRook could include ransomware, wiper malware, or tools designed to disrupt operations, potentially affecting critical organizational functions.


    Supply Chain Risk: Compromised NGOs and academic institutions may serve as jumping points into connected organizations, government agencies, or international partner networks.


    Attribution Challenges: The use of previously undocumented malware complicates attribution efforts, making it difficult for organizations and law enforcement to identify the responsible threat actor and implement appropriate countermeasures.


    Persistence and Dwell Time: The sophisticated nature of LucidRook suggests the attacker's intent is long-term access rather than immediate financial gain. Extended dwell time increases the likelihood of undetected data exfiltration or espionage activities.


    ## Recommendations


    Organizations, particularly NGOs and academic institutions operating in Taiwan or possessing sensitive geopolitical or research information, should implement the following measures:


    Immediate Actions:

  • Email Security: Deploy advanced email filtering with sandboxing capabilities to analyze suspicious attachments in isolated environments before reaching user inboxes
  • User Training: Conduct mandatory security awareness training focused on spear-phishing recognition, emphasizing the scrutiny of unexpected attachments or requests from external parties
  • Threat Hunting: Deploy endpoint detection and response (EDR) solutions to hunt for indicators of LucidRook execution, including Lua interpreter activity and unusual DLL loading patterns

    • Short-Term Security Enhancements:

  • Network Segmentation: Isolate sensitive systems and research databases from general-use networks to limit lateral movement following initial compromise
  • Access Controls: Implement multi-factor authentication (MFA) across all critical systems and enforce principle-of-least-privilege access policies
  • Logging and Monitoring: Enable comprehensive logging of process execution, network connections, and file system activity to detect anomalous behavior

    • Long-Term Resilience:

  • Incident Response Planning: Develop and regularly test incident response procedures specific to malware deployment and data exfiltration scenarios
  • Backup Strategy: Maintain offline, immutable backups of critical data to enable recovery following ransomware or wiper attacks
  • Security Partnerships: Engage with industry-specific Information Sharing and Analysis Centers (ISACs) and law enforcement to receive timely threat intelligence regarding emerging threats targeting your sector

    • Organizations identifying indicators of LucidRook infection or UAT-10362 activity should immediately isolate affected systems, preserve forensic evidence, and contact cybersecurity authorities and incident response specialists. Swift action can prevent secondary payload deployment and limit damage from ongoing data exfiltration.