Skip to main content
Emerging ThreatsMalware & Ransomware

UAT-10362 Launches LucidRook Malware in Taiwanese NGO Spear-Phishing Attacks

Dimly lit office scene with a hooded figure in shadows, laptop casting eerie glow, Taiwanese map pin on cluttered desk.

How should Taiwanese civil-society groups respond when a previously undocumented threat cluster begins using a newly observed malware for targeted spear-phishing? That is the immediate dilemma raised by reporting that an actor labeled UAT-10362 has been linked to campaigns aimed at Taiwanese non-governmental organizations and at suspected universities.

What was observed

Researchers identified a previously undocumented threat cluster, dubbed UAT-10362, and attributed it to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities. The campaigns sought to deploy a newly reported Lua-based malware family called LucidRook.

According to the report, LucidRook is described as a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL).

Context and immediate facts

  • UAT-10362 is characterized in the reporting as previously undocumented.
  • The cluster has been linked to spear-phishing campaigns directed at Taiwanese NGOs and at entities identified as suspected universities.
  • The malware deployed in those campaigns is named LucidRook and is Lua-based.
  • LucidRook incorporates a Lua interpreter and Rust-compiled libraries inside a DLL, and it is described in the source as a sophisticated stager.

Questions raised for different audiences

Technologists: How will defenders and incident responders handle a stager that embeds a Lua interpreter and Rust-compiled components inside a DLL? What forensic signals and signatures, if any, have been observed?

Policymakers and institutional leaders: What protections and communications do NGOs and universities need when reporting links between targeted spear-phishing and novel malware families?

Users and administrators at likely targets: What immediate steps should organizations take upon learning that spear-phishing campaigns are targeting their sector, and how can they verify suspicious messages?

Adversaries and analysts: The emergence of a previously undocumented cluster deploying a named, Lua-based stager invites further examination of motives, targets and methods — all of which depend on continued, transparent reporting and technical analysis.

Closing observation

The record for UAT-10362 in the available reporting is compact but clear: a newly identified cluster is using spear-phishing to deliver a newly described Lua-based stager called LucidRook, which embeds a Lua interpreter and Rust-compiled libraries inside a DLL. That combination — a previously undocumented actor, targeted campaigns against civil-society and academic targets, and a novel technical build — leaves an important question: how quickly will defenders, targets and investigators translate those facts into prevention, detection and disclosure?

https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html