Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
UAT-10362: LucidRook Malware Targets Taiwanese NGOs

UAT-10362: LucidRook Malware Targets Taiwanese NGOs

Posted on April 9, 2026 By CWS

A previously unidentified cyber threat group, designated UAT-10362, has been linked to spear-phishing attacks aimed at non-governmental organizations (NGOs) in Taiwan. These attacks utilize a novel Lua-based malware known as LucidRook, targeting these organizations to deploy malicious payloads. Cisco Talos researcher Ashley Shen highlighted that LucidRook is a complex stager that incorporates a Lua interpreter and Rust-compiled libraries within a DLL to download and execute staged Lua bytecode payloads.

Details of the Attack

The cybersecurity firm observed these activities starting in October 2025. The attackers employed RAR or 7-Zip archive files as lures, which contained a dropper named LucidPawn. This dropper initiates the attack by opening a decoy file and subsequently launching LucidRook. A defining feature of the attack is the use of DLL side-loading to execute both LucidPawn and LucidRook.

There are two primary infection chains leading to LucidRook. The first involves a Windows Shortcut (LNK) file with a PDF icon, which when clicked, runs a PowerShell script that executes a Windows binary (“index.exe”) to sideload a malicious DLL, LucidPawn. The second chain involves an executable disguised as a Trend Micro antivirus program (“Cleanup.exe”), which acts as a .NET dropper to run LucidRook. Once executed, it displays a cleanup completion message.

Technical Mechanisms

LucidRook, a heavily obfuscated 64-bit Windows DLL, is designed to evade detection and analysis. It serves dual purposes: collecting system information to send to an external server and receiving encrypted Lua bytecode payloads for decryption and execution on the infected machine via an embedded Lua 5.4.8 interpreter. The attackers utilized an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for their command-and-control (C2) operations.

To further target specificity, LucidPawn employs geofencing by querying the system UI language and proceeding only if it matches Traditional Chinese settings linked with Taiwan. This strategy helps focus the attack on intended victims while avoiding detection in common analysis environments.

Implications and Future Outlook

One variant of the dropper, LucidKnight, has been discovered to exfiltrate system information to a temporary Gmail address, indicating the adversary’s use of a multi-tiered toolkit. This suggests a methodical approach where LucidKnight profiles targets before deploying LucidRook. Although much about UAT-10362 remains unknown, current evidence points to a sophisticated threat actor prioritizing targeted attacks rather than opportunistic ones.

Cisco Talos emphasizes that the threat actor’s use of modular malware design, anti-analysis features, and reliance on compromised infrastructure showcases their advanced operational techniques. As such, UAT-10362 represents a significant cyber threat with mature tradecraft, necessitating vigilance and enhanced security measures from potential targets.

The Hacker News Tags:cyber threat, Cybersecurity, DLL side-loading, Lua malware, LucidRook, Malware, Rust libraries, spear-phishing, Taiwan NGOs, UAT-10362

Post navigation

Previous Post: New MacOS Malware Targets Crypto Wallets with ClickFix
Next Post: STX RAT Emerges as a Stealthy Cyber Threat

Related Posts

Critical Flaw in Funnel Builder Targets WooCommerce Critical Flaw in Funnel Builder Targets WooCommerce The Hacker News
ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach The Hacker News
BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan The Hacker News
Iranian Hackers Compromise FBI Director’s Email, Attack Stryker Iranian Hackers Compromise FBI Director’s Email, Attack Stryker The Hacker News
Webinar Reveals Strategies Against Stealth Cyber Breaches Webinar Reveals Strategies Against Stealth Cyber Breaches The Hacker News
Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Addresses Crucial Zero-Day in Defender
  • Data Breach at Mount Royal University Revealed
  • Microsoft Secures Defender Against Critical Privilege Flaw
  • Helix Group Exploits Phishing to Access SharePoint Data
  • AI Tools Vulnerable to Classic Hacking Tactic

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Addresses Crucial Zero-Day in Defender
  • Data Breach at Mount Royal University Revealed
  • Microsoft Secures Defender Against Critical Privilege Flaw
  • Helix Group Exploits Phishing to Access SharePoint Data
  • AI Tools Vulnerable to Classic Hacking Tactic

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark