A new threat cluster, UAT-10362, has been identified targeting Taiwanese non-governmental organizations and universities with spear-phishing campaigns to deploy a novel Lua-based malware named LucidRook. This sophisticated stager embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute further Lua bytecode payloads, as reported by The Hacker News.The attacks, discovered in October 2025, utilize RAR or 7-Zip archives with lures to deliver a dropper called LucidPawn. This dropper then opens a decoy file and launches LucidRook, employing DLL side-loading for execution. Two infection chains exist: one uses a Windows Shortcut (LNK) file disguised as a PDF, which executes a PowerShell script to sideload LucidPawn. The second chain involves an executable masquerading as a Trend Micro antivirus program, which acts as a .NET dropper to launch LucidRook.LucidRook itself is a heavily obfuscated 64-bit Windows DLL designed for stealth, collecting system information and exfiltrating it to an external server before receiving and executing encrypted Lua bytecode payloads. The threat actor uses Out-of-band Application Security Testing (OAST) services and compromised FTP servers for command-and-control infrastructure. A related DLL, LucidKnight, has also been observed, capable of exfiltrating system information via Gmail, suggesting a tiered toolkit for reconnaissance before deploying LucidRook.Source:The Hacker News
More
Popular articles
Featured
Newsletter
Subscribe to get the latest news, offers and special announcements.