Executive Summary
In October 2025, a previously undocumented threat actor, UAT-10362, launched spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and universities. The attackers distributed a new Lua-based malware named LucidRook, which embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The malware exhibits region-specific anti-analysis checks, activating only in Traditional Chinese language environments associated with Taiwan. The campaigns utilized malicious LNK and EXE files disguised as antivirus software, leveraging compromised FTP servers and out-of-band application security testing (OAST) services for command-and-control infrastructure. (blog.talosintelligence.com)
This incident underscores the evolving sophistication of cyber threats targeting specific regions and sectors. The use of multi-language modular design, layered anti-analysis features, and reliance on compromised or public infrastructure indicates a high level of operational maturity by UAT-10362. Organizations, especially those in Taiwan, should enhance their cybersecurity measures to detect and mitigate such advanced persistent threats.
Why This Matters Now
The emergence of LucidRook highlights the increasing sophistication of region-specific cyber threats. Organizations must stay vigilant and adapt their security strategies to counteract these evolving tactics.
Attack Path Analysis
UAT-10362 initiated the attack by sending spear-phishing emails to Taiwanese NGOs, leading to the execution of the LucidRook malware. The malware collected system information and exfiltrated it to the command and control (C2) server. Subsequently, it downloaded and executed additional Lua bytecode payloads, potentially escalating privileges and facilitating further malicious activities. The malware maintained communication with the C2 server, allowing for remote control and data exfiltration. The final impact of the attack remains unspecified but could include data theft, system compromise, or further network infiltration.
Kill Chain Progression
Initial Compromise
Description
UAT-10362 sent spear-phishing emails to Taiwanese NGOs, leading to the execution of the LucidRook malware.
MITRE ATT&CK® Techniques
Spearphishing Link
Command and Scripting Interpreter: Lua
Ingress Tool Transfer
User Execution: Malicious Link
Process Injection: Dynamic-link Library Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Non-Profit/Volunteering
Taiwanese NGOs face direct targeting through LucidRook malware spear-phishing campaigns, requiring enhanced email security and zero trust segmentation to prevent lateral movement.
Higher Education/Acadamia
Universities suspected as UAT-10362 targets need encrypted traffic monitoring and egress security controls to detect Lua-based malware exfiltration and command-and-control activities.
Government Administration
Government entities face advanced persistent threats using sophisticated Rust-compiled libraries, necessitating multicloud visibility controls and anomaly detection for nation-state attack mitigation.
Information Technology/IT
IT organizations must implement inline IPS and threat detection capabilities to identify LucidRook DLL-based stagers and protect against spear-phishing campaign infrastructure targeting.
Sources
- UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaignshttps://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.htmlVerified
- New Lua-based malware 'LucidRook' observed in targeted attacks against Taiwanese organizationshttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/Verified
- Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoorshttps://thehackernews.com/2025/07/chinese-hackers-target-taiwans.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to escalate privileges, move laterally, and exfiltrate data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise via spear-phishing emails may not have been directly mitigated by CNSF controls.
Control: Zero Trust Segmentation
Mitigation: The malware's ability to escalate privileges could have been constrained, reducing its capacity to gain higher-level access.
Control: East-West Traffic Security
Mitigation: Lateral movement within the network could have been significantly limited, reducing the malware's ability to spread.
Control: Multicloud Visibility & Control
Mitigation: The malware's communication with its command and control server could have been detected and potentially disrupted.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts could have been restricted, limiting the amount of information sent to external servers.
The overall impact of the attack could have been reduced, limiting data theft and further network infiltration.
Impact at a Glance
Affected Business Functions
- Advocacy and Outreach
- Research and Development
- Academic Collaboration
Estimated downtime: 7 days
Estimated loss: $50,000
Confidential communications, research data, and personal information of staff and affiliates.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal communications.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities.
- • Conduct regular security awareness training to educate employees on recognizing and avoiding spear-phishing attempts.
