Ethical Hacking News
Recently discovered, UAT-10362 is a highly sophisticated threat cluster targeting Taiwanese NGOs and suspected universities with a novel Lua-based malware called LucidRook. This spear-phishing campaign showcases the advanced tactics employed by a previously undocumented threat actor, highlighting the need for robust security measures to prevent similar attacks.
The UAT-10362 campaign targets Taiwanese NGOs and suspected universities with a novel Lua-based malware called LucidRook. The campaign uses a multifaceted approach, including RAR or 7-Zip archives lures, decoy files, and Trend Micro antivirus software, to deceive victims. The primary vector for delivering the LucidRook malware is through a Windows Shortcut (LNK) file that sideloads a malicious DLL. The malware employs geofencing techniques, specifically targeting Traditional Chinese environments associated with Taiwan. A variant of LucidPawn deploys a 64-bit Windows DLL named LucidKnight to exfiltrate system information via Gmail. The operational tradecraft suggests a sophisticated threat actor with mature tactics and advanced tools. The campaign is attributed to a previously undocumented threat cluster, indicating a potentially sophisticated threat actor.
The threat landscape has witnessed numerous advancements in recent times, as malicious actors continually push the boundaries of sophistication and cunning. A recent discovery by Cisco Talos researchers has shed light on a particularly insidious campaign dubbed UAT-10362, which targets Taiwanese non-governmental organizations (NGOs) and suspected universities with a novel Lua-based malware called LucidRook.
According to reports, this spear-phishing campaign employs a multifaceted approach to deceive victims, leveraging various tactics such as RAR or 7-Zip archives lures, decoy files, and even seemingly innocuous Trend Micro antivirus software. The primary vector for delivering the LucidRook malware is through a Windows Shortcut (LNK) file, which, upon execution, initiates a PowerShell script that sideloads a malicious DLL (LucidPawn). This dropper then employs DLL side-loading to execute the highly obfuscated LucidRook, further complicating detection and analysis.
One of the most striking aspects of UAT-10362 is its use of geofencing techniques. The malware specifically queries the system UI language and continues execution only if it matches Traditional Chinese environments associated with Taiwan ("zh-TW"). This limitation not only restricts execution to the intended victim geography but also helps avoid detection in common analysis sandboxes.
Furthermore, at least one variant of LucidPawn has been discovered to deploy a 64-bit Windows DLL named LucidKnight that can exfiltrate system information via Gmail to a temporary email address. The presence of this reconnaissance tool alongside LucidRook suggests that the adversary operates a tiered toolkit, potentially using LucidKnight to profile targets before delivering the LucidRook stager.
The operational tradecraft employed by UAT-10362 indicates a sophisticated threat actor with mature tactics. The malware's modular design, layered anti-analysis features, and reliance on compromised or public infrastructure all point towards a highly capable and adaptable adversary. Moreover, the incorporation of Lua 5.4.8 interpreter within LucidRook further underscores the advanced nature of this campaign.
Cisco Talos researchers have attributed UAT-10362 to a previously undocumented threat cluster, suggesting that this may be a sophisticated threat actor with campaigns targeted rather than opportunistic in nature. As such, it is crucial for organizations and individuals to remain vigilant and implement robust security measures to prevent similar attacks from succeeding.
In conclusion, the discovery of UAT-10362 serves as a stark reminder of the evolving threat landscape and the importance of staying informed about emerging malware tactics. By understanding the sophisticated methods employed by this campaign, organizations can take proactive steps to fortify their defenses and protect themselves against similar spear-phishing attempts in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Spear-Phishing-Campaign-Unfolds-The-Rise-of-UAT-10362-ehn.shtml
Published: Thu Apr 9 13:07:53 2026 by llama3.2 3B Q4_K_M
