A new threat cluster uses stealth, modular malware, and DLL side-loading to evade detection and maintain persistence
A newly identified threat group, UAT-10362, is conducting highly targeted spear-phishing campaigns against Taiwanese NGOs and academic institutions. These attacks deploy a sophisticated Lua-based malware known as LucidRook, designed for stealth, flexibility, and long-term access.
Unlike mass phishing campaigns, this operation focuses on specific victims, which increases its success rate and makes detection more difficult.
How the Attack Begins
The campaign starts with carefully crafted phishing lures.
Attackers deliver malicious files through:
- RAR or 7-Zip archives
- Disguised documents (e.g., fake PDFs)
- Fake antivirus software installers
For example, a malicious file may appear as a harmless document or a legitimate security tool. However, once the victim interacts with it, the attack chain begins.
Two Infection Paths Used
The attackers use two primary methods to infect systems.
1. LNK-Based Attack
A shortcut file disguised as a PDF triggers a PowerShell script. This script runs a legitimate Windows binary, which then loads a malicious DLL.
2. EXE-Based Attack
A fake antivirus application executes a dropper that silently loads the malware in the background.
In both cases, attackers rely on DLL side-loading, a technique that uses legitimate applications to load malicious code.
What Makes LucidRook Dangerous
LucidRook is not a simple malware—it is a multi-stage, modular stager.
It:
- Embeds a Lua interpreter
- Uses Rust-based components
- Executes encrypted payloads in memory
- Avoids traditional detection methods
Additionally, it collects system information and sends it to attacker-controlled servers before executing further commands.
Because of this design, the malware can adapt its behavior based on the target.
Advanced Evasion Techniques
The campaign includes several stealth-focused features.
For instance:
- Heavy obfuscation to prevent analysis
- Use of compromised FTP servers for command-and-control
- Abuse of public infrastructure for communication
Moreover, the malware uses geofencing.
It checks the system language and only executes if it matches Taiwanese environments (zh-TW). As a result, it avoids detection in global security testing environments.
Additional Payloads and Capabilities
In some cases, attackers deploy an additional tool called LucidKnight.
This malware:
- Collects system intelligence
- Sends data through Gmail-based exfiltration
- Profiles the target before further exploitation
Therefore, the attackers use a layered approach, starting with reconnaissance and moving toward deeper compromise.
Why This Campaign Stands Out
This operation reflects a shift toward precision attacks.
Key characteristics include:
- Targeted victim selection
- Multi-stage infection chains
- Modular malware design
- Strong anti-analysis techniques
Because of this, the campaign demonstrates a high level of operational maturity.
What Organizations Should Watch For
To detect such threats, organizations should monitor:
- Suspicious archive attachments
- Unexpected PowerShell execution
- DLL side-loading activity
- Unusual outbound connections
- Language-based execution anomalies
Additionally, security teams should analyze endpoint behavior, not just signatures.
Strategic Takeaway
This campaign highlights how modern threat actors operate.
Instead of relying on mass attacks, they focus on stealth, precision, and adaptability.
Because in today’s threat landscape,
the most effective attacks are not widespread—they are carefully targeted and quietly executed.