Dubbed a previously undocumented threat group UAT-10362 Spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and dubious universities have been blamed for deploying a new Lua-based malware called Lucidrook.
“Lucidrook is a sophisticated stager that embeds the Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute a staged Lua bytecode payload,” said Ashley Shen, researcher at Cisco Talos.
The cybersecurity company said it discovered the activity in October 2025, in which the attack uses RAR or 7-Zip archives to lure a dropper called LucidPawn, which then opens a decoy file and launches Lucidruck. A notable feature of Intrusion Set is the use of DLL side-loading to execute both LucidPon and LucidRook.
There are two different infection chains that lead to Lucidruk, one using a Windows Shortcut (LNK) file with a PDF icon and the other involving an executable that masquerades as Trend Micro’s antivirus program. The complete sequence is listed below –
- LNK-based infection chain – When the user clicks on the LNK file, assuming it is a PDF document, it executes a PowerShell script to run a legitimate Windows binary (“index.exe”) present in the archive, which then sideloads a malicious DLL (i.e., LucidPawn). The dropper, for its part, once again uses DLL side-loading to run Lucidrook.
- EXE-based infection chain – When the so-called Trend Micro program (“cleanup.exe”) is launched within the 7-Zip archive, it acts as a simple .NET dropper that employs DLL side-loading to run Lucidruk. Upon execution, the binary displays a message stating that the cleanup process has completed.
The 64-bit Windows DLL is highly obfuscated, preventing Lucidruk, analysis and detection. Its functionality is two-way: it collects system information and sends it to an external server, and then receives an encrypted Lua bytecode payload for subsequent decryption and execution on the compromised machine using the embedded Lua 5.4.8 interpreter.
“In both cases, the actor abused the out-of-band application security testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure,” Talos said.
LucidPawn also implements a geofencing technique that specifically queries the system UI language and continues execution only if it matches the traditional Chinese environment associated with Taiwan (“zh-TW”). This provides a two-way benefit, as it limits execution to the intended victim geography and avoids getting flagged in the general analysis sandbox.
Additionally, at least one version of the dropper called Lucidnight has been found to deploy a 64-bit Windows DLL that is capable of exfiltrating system information to a temporary email address via Gmail. The presence of reconnaissance tools with LucidRook suggests that the adversary operates a staged toolkit, possibly using LucidNite to profile targets before delivering the LucidRook stager.
Not much is known about UAT-10362 at this stage other than the fact that it is likely a sophisticated threat actor whose campaigns tend to be targeted rather than opportunistic, prioritizing flexibility, privacy and victim-specific action.
Talos said, “The multilingual modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate that UAT-10362 is a capable threat actor with mature operational tradecraft.”
