Unmasking LucidRook: A Deep Dive into UAT-10362’s Lua-Based Campaign Against Taiwan
Executive Summary
The threat landscape in East Asia continues to evolve with the emergence of highly specialized toolkits designed to evade traditional heuristic detections. Recently, Cisco Talos identified a sophisticated campaign attributed to a threat actor tracked as UAT-10362. This actor has been observed targeting Taiwanese non-governmental organizations (NGOs) and academic institutions using a multi-stage infection chain. The primary payload, dubbed LucidRook, represents a shift toward modular, multi-language malware, utilizing a Lua interpreter embedded within Rust-compiled libraries. Supported by a dropper known as LucidPawn and a reconnaissance tool called LucidKnight, UAT-10362 demonstrates mature operational tradecraft characterized by region-specific anti-analysis checks and the abuse of legitimate public infrastructure.
SecLookup’s threat intelligence platform has been actively tracking this activity, successfully identifying and blocking the command-and-control (C2) infrastructure and associated malicious artifacts to protect our global user base.
Campaign Overview
The campaign, first detected in late 2025, primarily leverages spear-phishing as its initial access vector. Threat actors utilize authorized mail infrastructure to send emails containing shortened URLs, which redirect victims to password-protected archives.
To increase the likelihood of execution, UAT-10362 employs highly convincing decoy documents. One observed decoy involves a formal directive purportedly from the Taiwanese government regarding travel regulations for university staff visiting mainland China. This level of social engineering indicates a deep understanding of the local socio-political context and the specific concerns of the targeted academic and NGO sectors.
Technical Analysis: The Lucid Toolkit
The architecture of the UAT-10362 toolkit is tiered and modular, allowing the actor to profile victims before deploying their most sophisticated tools.
LucidPawn: The Regional Gatekeeper
The initial dropper, LucidPawn, is designed with stealth as a priority. It frequently impersonates legitimate security software, such as Trend Micro’s "Cleanup.exe." A key feature of LucidPawn is its region-specific execution logic. The malware performs environment checks to ensure it is running in a Traditional Chinese language environment (specifically zh-TW). If these conditions are not met, the malware terminates, effectively neutralizing analysis attempts in generic sandbox environments or by researchers outside the target region.
LucidRook: The Lua-Based Stager
The core of the infection is LucidRook, a sophisticated stager. LucidRook is unique in its implementation, using a DLL that embeds a Lua 5.4.8 interpreter along with Rust-compiled libraries.
The stager’s primary role is to download and execute staged Lua bytecode payloads. By using Lua—a scripting language often overlooked by legacy antivirus solutions—the actor can execute complex logic in memory while maintaining a small disk footprint. The use of Rust for the underlying libraries further complicates reverse engineering due to the language’s unique memory management and symbol handling.
LucidKnight: Reconnaissance and Exfiltration
During the investigation, a companion tool named LucidKnight was discovered. LucidKnight serves as a specialized reconnaissance agent. It is designed to harvest system information and exfiltrate it via the Gmail API. The presence of LucidKnight suggests a "scout" model, where the actor first determines the value of a compromised host before escalating to the full deployment of LucidRook for long-term persistence or data theft.
Infrastructure and C2 Tradecraft
UAT-10362 demonstrates a preference for blending into legitimate traffic. Their infrastructure strategy includes:
OAST Service Abuse: Utilizing Out-of-band Application Security Testing services for initial callback signals.
Compromised FTP Servers: Repurposing legitimate, compromised FTP servers to host malicious payloads, reducing the likelihood of domain-based blocking.
Public Cloud Services: Using Gmail for exfiltration (LucidKnight) to bypass outbound traffic restrictions that might block unknown C2 IPs.
SecLookup Detection and Response
SecLookup’s proactive threat hunting team has been monitoring the infrastructure associated with UAT-10362. Our platform successfully identified the domain digimg.store and its subdomains as high-risk early in the campaign cycle.
Through our multi-layered analysis, SecLookup was able to correlate these domains with the LucidRook infection chain. Our users were protected via automated blocking of these domains and the associated malicious IP addresses. We continue to ingest telemetry from these campaigns to refine our detection signatures for Lua-based execution patterns and Rust-compiled malicious DLLs.
MITRE ATT&CK Mapping
The tactics and techniques employed by UAT-10362 align with the following MITRE ATT&CK framework categories:
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1566.001 | Spear-phishing Attachment |
| Execution | T1204.002 | User Execution: Malicious File |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| T1497.001 | Virtualization/Sandbox Evasion: System Checks | |
| T1036.005 | Masquerading: Match Legitimate Name or Location | |
| Discovery | T1082 | System Information Discovery |
| T1614.001 | System Location Discovery: System Language Settings | |
| Command & Control | T1105 | Ingress Tool Transfer |
| T1567 | Exfiltration Over Web Service (Gmail) |
Indicators of Compromise (IOCs)
Domains
d.2fcc7078.digimg.store
digimg.store
IP Addresses
1.34.253.131
59.124.71.242
File Hashes (SHA-256)
d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a
7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33
b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d
f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839
aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1
6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9
a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a
d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964
852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66
166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d
0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34
ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175
bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d
11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae
fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056
Email Addresses
crimsonanabel@powerscrews.com
fexopuboriw972@gmail.com
Detection Rules
YARA Rules
rule LucidRook_Stager_DLL {
meta:
description = "Detects LucidRook DLL stager based on Lua interpreter version and specific stage filename."
author = "SecLookup Analysis"
strings:
$lua_ver = "Lua 5.4.8"
$payload = "archive1.zip"
$rust_marker = "/rustc/"
$dll_name = "DismCore.dll" ascii wide
condition:
uint16(0) == 0x5A4D and (all of (\(lua_ver, \)payload) or (\(dll_name and \)rust_marker))
}
rule LucidPawn_Dropper_Activity {
meta:
description = "Detects LucidPawn dropper artifacts and specific LOLBAS execution patterns."
author = "SecLookup Analysis"
strings:
$pester_path = "\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Build.bat" ascii wide
$appdata_path = "\\Local\\Microsoft\\WindowsApps\\msedge.exe" ascii wide
$mal_dll = "DismCore.dll" ascii wide
condition:
uint16(0) == 0x5A4D and any of them
or (any of (\(pester_path, \)appdata_path) and $mal_dll)
}
rule Lucid_Cleanup_Dropper_Impersonation {
meta:
description = "Detects the .NET dropper Cleanup.exe impersonating Trend Micro."
author = "SecLookup Analysis"
strings:
$tm_impersonation = "Trend Micro™ Worry-Free™ Business Security Services" wide
$cleanup_name = "Cleanup.exe" ascii wide
$msg_box = "Cleanup process has completed" wide
condition:
uint16(0) == 0x5A4D and (\(tm_impersonation and (\)cleanup_name or $msg_box))
}
Recommendations
To defend against UAT-10362 and similar threats, security teams should implement the following measures:
Enhance Email Filtering: Deploy advanced email security solutions capable of decompressing and analyzing password-protected archives when the password is provided in the email body.
Endpoint Monitoring: Monitor for unusual child processes spawning from legitimate Windows utilities, specifically focusing on
Pesterframework scripts and unexpected Lua interpreter executions.Language Environment Vigilance: While primarily relevant for regional targets, security teams should be aware that environmental checks (like OS language) are used to evade sandboxes. Ensure automated analysis platforms are configured to simulate various regional locales.
Credential Management: Implement strict Multi-Factor Authentication (MFA) to prevent actors from utilizing authorized mail infrastructure even if credentials are compromised.
Block Known IOCs: Ensure the domains, IPs, and hashes listed in this report are integrated into your SIEM, EDR, and firewall blocklists.
References
- New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations by Ashley Shen, Cisco Talos
