UAT‑10362 Spear‑Phishing Campaign Deploys LucidRook Malware Against Taiwanese NGOs and Universities
What Happened — A previously undocumented threat cluster, UAT‑10362, has been observed delivering a Lua‑based stager named LucidRook via spear‑phishing emails. The campaign targets Taiwanese non‑governmental organizations and suspected academic institutions, embedding a Lua interpreter and Rust‑compiled libraries in a DLL to download additional payloads.
Why It Matters for TPRM —
- Threat actors are weaponizing a novel, multi‑stage malware that can bypass traditional signature‑based defenses.
- NGOs and universities often handle sensitive research, donor data, and intellectual property, making them attractive supply‑chain footholds.
- Successful compromise can lead to data exfiltration, credential theft, and lateral movement into partner ecosystems.
Who Is Affected — Non‑profit NGOs, research universities, and any third‑party service providers linked to these entities (e.g., cloud hosts, collaboration platforms).
Recommended Actions —
- Review all third‑party contracts with Taiwanese NGOs and academic partners for security clauses.
- Enforce multi‑factor authentication and email‑security gateways (DMARC, DKIM, SPF) to mitigate spear‑phishing.
- Conduct threat‑hunt for LucidRook indicators (DLL hashes, Lua strings) across your environment.
Technical Notes — The stager is delivered as a DLL that loads an embedded Lua interpreter and Rust‑compiled libraries, then contacts a remote C2 to fetch additional modules. No public CVE is associated; the attack vector is phishing with malicious attachments or links. Source: The Hacker News