Cisco Talos has uncovered a new cyber campaign by a threat actor tracked as UAT-10362, targeting non-governmental organizations and universities in Taiwan. The operation utilizes a multi-stage infection chain to deliver a sophisticated malware family known as "LucidRook." This stager is notable for embedding a Lua interpreter and Rust-compiled libraries within a DLL to execute encrypted bytecode, often delivered via spear-phishing emails containing malicious LNK or EXE files disguised as legitimate software.
The toolkit includes "LucidPawn," a dropper that employs region-specific anti-analysis checks to ensure it only executes in Traditional Chinese language environments. Talos also identified "LucidKnight," a companion reconnaissance tool that exfiltrates system metadata via Gmail. The use of legitimate Windows binaries for DLL sideloading, combined with the abuse of public FTP servers and OAST services for C2 infrastructure, highlights the group's mature operational tradecraft and focus on stealth.
Top comments (0)