Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
UAT-10362: LucidRook Malware Targets Taiwanese NGOs

UAT-10362: LucidRook Malware Targets Taiwanese NGOs

Posted on April 9, 2026 By CWS

A previously unidentified cyber threat group, designated UAT-10362, has been linked to spear-phishing attacks aimed at non-governmental organizations (NGOs) in Taiwan. These attacks utilize a novel Lua-based malware known as LucidRook, targeting these organizations to deploy malicious payloads. Cisco Talos researcher Ashley Shen highlighted that LucidRook is a complex stager that incorporates a Lua interpreter and Rust-compiled libraries within a DLL to download and execute staged Lua bytecode payloads.

Details of the Attack

The cybersecurity firm observed these activities starting in October 2025. The attackers employed RAR or 7-Zip archive files as lures, which contained a dropper named LucidPawn. This dropper initiates the attack by opening a decoy file and subsequently launching LucidRook. A defining feature of the attack is the use of DLL side-loading to execute both LucidPawn and LucidRook.

There are two primary infection chains leading to LucidRook. The first involves a Windows Shortcut (LNK) file with a PDF icon, which when clicked, runs a PowerShell script that executes a Windows binary (“index.exe”) to sideload a malicious DLL, LucidPawn. The second chain involves an executable disguised as a Trend Micro antivirus program (“Cleanup.exe”), which acts as a .NET dropper to run LucidRook. Once executed, it displays a cleanup completion message.

Technical Mechanisms

LucidRook, a heavily obfuscated 64-bit Windows DLL, is designed to evade detection and analysis. It serves dual purposes: collecting system information to send to an external server and receiving encrypted Lua bytecode payloads for decryption and execution on the infected machine via an embedded Lua 5.4.8 interpreter. The attackers utilized an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for their command-and-control (C2) operations.

To further target specificity, LucidPawn employs geofencing by querying the system UI language and proceeding only if it matches Traditional Chinese settings linked with Taiwan. This strategy helps focus the attack on intended victims while avoiding detection in common analysis environments.

Implications and Future Outlook

One variant of the dropper, LucidKnight, has been discovered to exfiltrate system information to a temporary Gmail address, indicating the adversary’s use of a multi-tiered toolkit. This suggests a methodical approach where LucidKnight profiles targets before deploying LucidRook. Although much about UAT-10362 remains unknown, current evidence points to a sophisticated threat actor prioritizing targeted attacks rather than opportunistic ones.

Cisco Talos emphasizes that the threat actor’s use of modular malware design, anti-analysis features, and reliance on compromised infrastructure showcases their advanced operational techniques. As such, UAT-10362 represents a significant cyber threat with mature tradecraft, necessitating vigilance and enhanced security measures from potential targets.

The Hacker News Tags:cyber threat, Cybersecurity, DLL side-loading, Lua malware, LucidRook, Malware, Rust libraries, spear-phishing, Taiwan NGOs, UAT-10362

Post navigation

Previous Post: New MacOS Malware Targets Crypto Wallets with ClickFix
Next Post: STX RAT Emerges as a Stealthy Cyber Threat

Related Posts

Why IT Leaders Must Rethink Backup in the Age of Ransomware Why IT Leaders Must Rethink Backup in the Age of Ransomware The Hacker News
AI Browsers Vulnerable to Phishing Attacks: A Security Concern AI Browsers Vulnerable to Phishing Attacks: A Security Concern The Hacker News
New Android Trojan “Datzbro” Tricking Elderly with AI-Generated Facebook Travel Events New Android Trojan “Datzbro” Tricking Elderly with AI-Generated Facebook Travel Events The Hacker News
Mistic Backdoor Tied to KongTuke in Recent Cyber Campaigns Mistic Backdoor Tied to KongTuke in Recent Cyber Campaigns The Hacker News
OpenAI Unveils Codex Security for Vulnerability Detection OpenAI Unveils Codex Security for Vulnerability Detection The Hacker News
GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Helix Group Exploits Phishing to Access SharePoint Data
  • AI Tools Vulnerable to Classic Hacking Tactic
  • Chrome 150 Update Fixes Critical Security Flaws
  • Meta’s AI Tool Utilizes Public Instagram for Image Creation
  • Critical PAN-OS Flaw Exposes Devices to Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Helix Group Exploits Phishing to Access SharePoint Data
  • AI Tools Vulnerable to Classic Hacking Tactic
  • Chrome 150 Update Fixes Critical Security Flaws
  • Meta’s AI Tool Utilizes Public Instagram for Image Creation
  • Critical PAN-OS Flaw Exposes Devices to Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark