Cisco Talos attributed a previously undocumented threat cluster, UAT-10362, to spear-phishing campaigns targeting Taiwanese NGOs and suspected universities to deploy a new Lua-based stager called LucidRook. The attackers use RAR/7‑Zip lures to deliver a LucidPawn dropper that leverages DLL side‑loading in LNK- and EXE-based chains to launch a heavily obfuscated 64-bit LucidRook DLL that embeds a Lua interpreter, exfiltrates system data, and executes encrypted Lua bytecode; geofencing and abuse of OAST/compromised infrastructure indicate a targeted, stealthy actor. #UAT-10362 #LucidRook #LucidPawn #TaiwanNGOs
Keypoints
- UAT-10362 conducted spear-phishing campaigns against Taiwanese NGOs and suspected universities to deliver LucidRook.
- Attackers used RAR/7-Zip archive lures containing LucidPawn, which employs DLL side‑loading to launch payloads.
- Two infection chains exist: an LNK file that triggers PowerShell and index.exe sideloading, and a fake Trend Micro EXE that acts as a .NET dropper.
- LucidRook is a heavily obfuscated 64-bit DLL embedding Lua 5.4.8 and Rust libraries to exfiltrate system data and run encrypted Lua bytecode.
- Actors use geofencing for zh-TW systems, abuse OAST services and compromised FTP for C2, and deploy LucidKnight for reconnaissance, indicating a mature, targeted toolkit.
Read More: https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html