New ‘LucidRook’ malware used in targeted attacks on NGOs, universities Cisco Talos researchers tracked a new Lua-based modular backdoor called LucidRook used in October 2025 spear-phishing campaigns against NGOs and universities in Taiwan. The attacks, attributed to the threat group UAT-10362, used password-protected archives and dual infection chains that sideloaded LucidRook via a LucidPawn dropper while leveraging Lua bytecode for flexible, stealthy payload updates. #LucidRook #UAT-10362

Cisco Talos uncovered LucidRook, a Lua-based modular backdoor used in targeted spear-phishing attacks on Taiwanese NGOs and universities. The UAT-10362 group employed dual infection chains and stealthy payload updates. #LucidRook #Taiwan

UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns Cisco Talos attributed a previously undocumented threat cluster, UAT-10362, to spear-phishing campaigns targeting Taiwanese NGOs and suspected universities to deploy a new Lua-based stager called LucidRook. The attackers use RAR/7‑Zip lures to deliver a LucidPawn dropper that leverages DLL side‑loading in LNK- and EXE-based chains to launch a heavily obfuscated 64-bit...

UAT-10362 targets Taiwanese NGOs and suspected universities using spear-phishing to deliver LucidPawn dropper and LucidRook malware. The attack leverages DLL side-loading and encrypted Lua bytecode for stealthy data exfiltration. #Taiwan #LucidRook

LucidRook Malware Targets Taiwan

~Talos~
UAT-10362 targets Taiwanese NGOs with new Lua-based LucidRook malware via spear-phishing and abused FTP servers.
-
IOCs: 1. 34. 253[. ]131, 59. 124. 71[. ]242, D. 2fcc7078. digimg[. ]store
-
#LucidRook #Malware #ThreatIntel