A previously undocumented threat cluster dubbed UAT-10362 has been linked to spear-phishing campaigns targeting Taiwanese NGOs and suspected universities to deploy a new Lua-based malware called LucidRook, according to Cisco Talos. The firm said it discovered the activity in October 2025, with deliveries via RAR or 7-Zip archives that drop a loader called LucidPawn, which then opens a decoy file and launches LucidRook, with DLL side-loading used to execute both components.
LucidRook is a 64-bit Windows DLL that embeds a Lua interpreter (Lua 5.4.8) and Rust-compiled libraries to download and execute staged Lua bytecode, and it collects system information before exfiltrating it to an external server while receiving the encrypted Lua payload. The intrusion chain includes two infection paths: an LNK-based chain masquerading as a PDF and an EXE-based chain masquerading as a Trend Micro programme, both using DLL side-loading to run LucidRook.
Cisco Talos noted further that LucidPawn uses a geofencing check for Traditional Chinese environments (zh-TW) to restrict execution to Taiwan, and that at least one dropper variant deploys LucidKnight to exfiltrate information via Gmail, suggesting a tiered toolkit and targeted, stealthy operations.