Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
UAT-10362, a newly identified threat group, has been conducting targeted cyber espionage operations against Taiwanese non-governmental organizations and likely university institutions beginning in October 2025. This campaign employs sophisticated spear-phishing operations delivering password-protected malicious archives through carefully crafted emails that leverage trusted mail systems and shortened URL links to evade initial security screening. The threat actor demonstrates structured operational methodology through staged reconnaissance and exploitation tools, indicating deliberate target profiling before deploying advanced persistent threat capabilities.
The attack campaign utilizes dual infection pathways designed to maximize compromise success while maintaining operational stealth. The first pathway disguises malicious Windows shortcut files as PDF documents, exploiting victim expectations regarding document attachments in professional communications. The second pathway impersonates legitimate security software, specifically Trend Micro Worry-Free Business Security Services, leveraging victim trust in established security vendors. Both infection vectors employ decoy content to maintain victim confidence after initial execution, reducing the likelihood of immediate detection or incident reporting.
UAT-10362’s operational infrastructure demonstrates cost-conscious resource allocation typical of moderately resourced threat actors. Rather than deploying dedicated command-and-control servers that might attract attention from threat intelligence monitoring, the group compromises legitimate FTP servers belonging to Taiwanese small businesses with exposed credentials. This approach provides several operational advantages including reduced infrastructure costs, legitimate-appearing network traffic patterns, geographic proximity to targets reducing latency and suspicion, and expendable infrastructure that can be abandoned without operational impact when discovered.
The core malware component, LucidRook, represents a technically sophisticated persistent threat tool implemented as a Windows DLL incorporating a Lua scripting interpreter and compiled auxiliary libraries. This architectural design provides operational flexibility, allowing threat actors to deploy customized collection and exploitation scripts without requiring complete malware recompilation. The integration of Lua scripting capabilities indicates UAT-10362 possesses development resources capable of implementing complex cross-language integration and understands the operational benefits of modular, scriptable malware architectures.
LucidRook employs multiple anti-analysis and defense evasion techniques including layered code obfuscation, deliberate feature disabling to complicate reverse engineering, geofencing that restricts execution to Traditional Chinese language environments, and encryption of stolen data before exfiltration. The malware conducts comprehensive system reconnaissance, collecting detailed information about victim user accounts, installed software applications, running processes, and system configurations. This intelligence collection supports both immediate operational requirements and potential future targeting decisions.
The campaign’s staged approach incorporates LucidKnight, a reconnaissance tool that collects basic system information and exfiltrates data via email before more sophisticated malware deployment. This two-phase methodology allows UAT-10362 to evaluate target value and environmental characteristics before committing advanced persistent threat tools like LucidRook. Targets that pass initial evaluation criteria receive full compromise with persistent access, while less valuable targets may be abandoned after reconnaissance without deploying traceable advanced malware.
The geographic and sectoral targeting pattern strongly suggests state-sponsored or state-aligned threat actor motivations. Taiwan’s non-governmental organizations and universities frequently engage in policy research, cross-strait relations analysis, civil society development, and academic collaboration that represents valuable intelligence targets for entities seeking insight into Taiwanese domestic affairs, international relationships, and societal trends. The exclusive focus on Taiwanese entities combined with Traditional Chinese language geofencing indicates targeting criteria aligned with intelligence collection priorities of actors interested in Taiwanese internal affairs.
UAT-10362 initiates compromise operations through carefully crafted spear-phishing campaigns targeting personnel within Taiwanese NGOs and likely university institutions. The threat actor demonstrates understanding of professional communication norms and victim expectations, creating emails that appear legitimate through use of trusted mail systems and contextually appropriate messaging. These phishing emails incorporate shortened URL links rather than direct malicious attachments, providing several operational advantages including bypassing email gateway attachment filtering, reducing initial file size to avoid size-based security screening, and enabling tracking of link clicks to measure campaign effectiveness.
The shortened URLs redirect victims to password-protected archive files hosted on external infrastructure. The password for archive extraction is provided directly within the phishing email body, creating a false sense of security as victims perceive the password protection as a legitimate confidentiality measure rather than an evasion tactic. This technique exploits common business practices where sensitive documents are password-protected for confidentiality, making the approach appear consistent with legitimate professional communications.
The use of password-protected archives serves primarily as an anti-analysis technique rather than genuine security. Many email security gateways and automated malware analysis systems cannot extract password-protected archives for inspection, allowing malicious content to pass through security controls that would otherwise detect and block the threat. By providing the password in plaintext within the email, UAT-10362 ensures victims can easily extract and execute malicious content while security systems remain unable to inspect archive contents.
Inside the password-protected archives, UAT-10362 implements two distinct infection pathways, both employing masquerading techniques to deceive victims. The first pathway utilizes malicious Windows shortcut (LNK) files disguised as PDF documents. Windows shortcut files can execute arbitrary commands while displaying custom icons, allowing threat actors to create LNK files that visually appear as PDF documents in Windows Explorer. When victims double-click what appears to be a PDF, the LNK file executes malicious commands while simultaneously displaying decoy PDF content to maintain the deception.
The second infection pathway deploys executable files impersonating Trend Micro Worry-Free Business Security Services, a legitimate endpoint security product widely deployed in small and medium businesses. This approach exploits victim trust in established security vendors, as users are conditioned to execute security-related software and are less likely to scrutinize applications appearing to originate from trusted security companies. The fake security executable drops multiple files into the system while displaying benign message boxes to mislead victims into believing legitimate software installation or security scanning is occurring.
Both infection pathways incorporate decoy content display as a critical component of operational security. After executing initial compromise actions, the malware presents victims with expected content such as PDF documents or security messages, creating the impression that the intended action completed successfully. This deception reduces the likelihood of victim suspicion and immediate incident reporting, providing UAT-10362 with extended operational windows before compromise detection.
The LNK-based infection pathway employs living-off-the-land techniques that abuse legitimate Windows tools to load malicious components. Rather than executing obviously malicious executables that might trigger behavioral detection, the shortcut files run hidden scripts leveraging legitimate Windows utilities including PowerShell and the Deployment Image Servicing and Management (DISM) tool. DISM is a legitimate Windows component used for servicing Windows images and is present by default on all modern Windows systems.
UAT-10362 exploits DLL side-loading vulnerabilities in DISM to load malicious libraries. DLL side-loading occurs when legitimate executables load DLL libraries from their local directory rather than from protected system directories. By placing a malicious DismCore.dll in the same directory as a legitimate DISM executable, threat actors cause the legitimate signed executable to load the malicious library, effectively bypassing application whitelisting and providing the malicious code with the execution context and privileges of the legitimate application.
The malware deployment process involves unpacking encrypted files, renaming them to resemble trusted programs such as legitimate Windows system components, and establishing persistence through multiple mechanisms. Persistence is achieved by placing LNK shortcuts in Windows Startup folders, ensuring the malware executes automatically when users log into the system. The use of startup folder persistence rather than more sophisticated registry-based persistence suggests a balance between reliability and stealth, as startup folder entries are less likely to fail due to permission issues but may be more visible to manual inspection.
A particularly sophisticated aspect of UAT-10362’s technique involves abuse of the PowerShell Pester testing framework. Pester is a legitimate testing and mocking framework for PowerShell scripts, commonly used by system administrators and developers for automated testing. The framework includes a Build.bat script located in C:\Program Files\WindowsPowerShell\Modules\Pester that is designed for legitimate framework compilation and building operations.
UAT-10362’s malicious LNK files invoke this legitimate Pester Build.bat script with unusual command-line arguments pointing to hidden directories containing malicious PowerShell scripts. This living-off-the-land technique provides several evasion benefits including execution of malicious code through a legitimate signed framework, reduced behavioral detection likelihood as Pester execution may appear normal in development or administrative environments, and avoidance of direct PowerShell.exe execution which is heavily monitored in many environments.
The abuse of testing frameworks and development tools represents an evolution in living-off-the-land tactics, as threat actors increasingly target tools used by technical personnel rather than general-purpose system utilities. This approach is particularly effective against organizations with software development or IT operations teams where execution of development tools may be considered normal and expected behavior.
Both infection pathways implement geofencing through system language detection. Before executing malicious payloads, the malware queries the Windows API function GetUserDefaultUILanguage() to determine the system’s configured user interface language. The malware only proceeds with execution if it detects Traditional Chinese language configuration, which is standard in Taiwan but distinct from Simplified Chinese used in mainland China.
This geofencing serves multiple operational purposes. First, it narrows the malware’s operational scope exclusively to the intended target region, preventing accidental compromise of systems outside Taiwan that might attract unwanted attention or attribution efforts. Second, it evades many automated malware analysis systems located outside Taiwan that typically operate with English or other language configurations, causing the malware to remain dormant during sandbox analysis. Third, it reduces the likelihood of compromise discovery through unintended victim populations who might report the incident.
The malware implements additional anti-analysis techniques including layered code obfuscation that complicates reverse engineering efforts, deliberate disabling of certain malware features to make complete functionality analysis more difficult, and encryption of embedded components that require runtime decryption before analysis. These techniques collectively increase the time, skill, and resources required for security researchers to fully understand malware capabilities and develop comprehensive detection signatures.
LucidRook represents the campaign’s core persistent threat capability, implemented as a Windows DLL with sophisticated multi-language architecture. The malware integrates a Lua scripting interpreter alongside compiled C/C++ code and additional auxiliary libraries, creating a flexible execution environment for diverse operational requirements. Lua is a lightweight scripting language commonly embedded in applications requiring user-extensible scripting capabilities, including game engines, network monitoring tools, and embedded systems.
The integration of Lua provides UAT-10362 with significant operational advantages. Rather than requiring full malware recompilation for functionality modifications, operators can deploy new Lua scripts to modify collection priorities, implement new evasion techniques, or add exploitation capabilities. This modularity accelerates operational tempo, allowing rapid response to changing intelligence requirements or defensive countermeasures without engaging development resources for malware recompilation.
LucidRook’s reconnaissance capabilities include comprehensive system profiling that collects detailed information about user accounts including username, privileges, and group memberships; installed software applications providing insight into organizational tools and potential exploitation targets; running processes revealing active security software and user activities; and system configurations including operating system version, patch level, and hardware specifications. This intelligence supports both immediate operational decisions and potential lateral movement or privilege escalation operations.
All collected data undergoes encryption before exfiltration, preventing network-based inspection of stolen intelligence. The encrypted data is packaged into archive files with standardized names including archive4.zip and archive1.zip, facilitating automated processing on threat actor infrastructure. The use of consistent naming conventions suggests systematized operational procedures and potentially automated intelligence processing pipelines.
UAT-10362’s command-and-control infrastructure relies on compromised FTP servers rather than dedicated threat actor infrastructure. These compromised servers are predominantly located in Taiwan and belong to small businesses with exposed FTP credentials, often discovered through internet-wide scanning for poorly configured FTP services or through credential reuse from previous breaches. The use of plaintext FTP protocol rather than encrypted alternatives suggests operational prioritization of compatibility and reliability over communications security.
The compromised FTP servers serve dual purposes in the operational infrastructure. First, they function as data exfiltration destinations where stolen intelligence is uploaded for threat actor collection and analysis. Second, they operate as distribution points for additional malware components, updated configuration files, or new Lua scripts that extend or modify malware functionality. This bidirectional communication allows UAT-10362 to maintain operational control over compromised systems and adapt to evolving intelligence requirements.
The use of compromised legitimate infrastructure provides several operational security benefits. Traffic to legitimate Taiwanese business FTP servers appears less suspicious than connections to foreign or dedicated threat actor infrastructure. The servers provide geographic proximity to targets, reducing network latency and improving operational responsiveness. If servers are discovered and taken offline by defenders or law enforcement, the impact on operations is minimal as replacement infrastructure can be easily identified and compromised through the same techniques.
UAT-10362 implements out-of-band confirmation mechanisms to verify successful compromise without requiring full command-and-control communications. The malware generates DNS requests to Out-of-Band Application Security Testing (OAST) services including dnslog[.]ink and digimg[.]store. These services provide unique subdomains to each user and log all DNS queries received for those subdomains, allowing threat actors to confirm that malware successfully executed and initiated network communications even if full C2 channels are blocked or monitored.
The campaign includes a reconnaissance component designated LucidKnight, which appears to function as an initial target evaluation tool. LucidKnight collects basic system information including operating system details, username, installed software, and network configuration, then exfiltrates this data via email to threat actor-controlled addresses including fexopuboriw972[@]gmail[.]com and crimsonanabel[@]powerscrews[.]com. The use of email exfiltration for reconnaissance suggests a two-stage targeting approach where initial victims undergo evaluation before receiving more sophisticated malware.
This staged deployment methodology provides operational efficiency and security benefits. By deploying lightweight reconnaissance tools first, UAT-10362 can evaluate target value, identify high-priority victims for advanced persistent threat deployment, and avoid wasting sophisticated malware resources on low-value targets. This approach also compartmentalizes operations, as reconnaissance tool discovery does not necessarily reveal the existence or capabilities of more advanced tools like LucidRook that are reserved for high-value targets passing initial screening criteria.
Organizations must implement endpoint detection rules specifically monitoring for suspicious DLL side-loading of DismCore.dll by DISM executables. Detection logic should flag DISM execution from non-standard directories, particularly paths under %APPDATA%\Local\Microsoft\WindowsApps and C:\ProgramData that are frequently abused for malware staging. Legitimate DISM usage typically occurs from System32 directory with specific command-line parameters related to Windows imaging operations, while malicious usage involves execution from user-writable directories with unusual or absent parameters.
Network monitoring systems should implement detection rules for outbound FTP connections from endpoints to external servers, with particular attention to file transfers involving ZIP archives with names matching LucidRook patterns such as archive4.zip and archive1.zip. While FTP is rarely used in modern enterprise environments, organizations still utilizing FTP should maintain inventories of legitimate FTP destinations and flag connections to unexpected servers. The use of plaintext FTP protocol makes network-based detection straightforward through deep packet inspection of FTP command and data channels.
Security teams must deploy detection logic for suspicious execution of the Pester testing framework’s Build.bat script, particularly when invoked by Windows shortcut files or with command-line arguments pointing to hidden directories or temporary paths. Legitimate Pester usage occurs in development and testing contexts with predictable command-line patterns, while malicious abuse involves unusual parent processes such as Explorer.exe launching LNK files that chain to Pester execution, or command-line arguments referencing non-standard script locations in user profile directories.
Application control policies should be implemented to prevent executable and DLL loading from user-writable directories including %APPDATA%\Local\Microsoft\WindowsApps and C:\ProgramData unless explicitly required for business purposes. These directories are frequently abused by malware for staging and persistence as they provide user-writable locations outside typical system directories. Organizations should maintain inventories of approved software utilizing these paths and implement default-deny policies with explicit exceptions for legitimate applications.
Endpoint detection and response solutions should monitor for malware employing language-based geofencing through GetUserDefaultUILanguage() API queries. While legitimate software may query system language for localization purposes, malware commonly uses this technique as a pre-execution check to restrict operations to specific geographic regions. Detection logic should flag processes that query system language immediately before suspicious behaviors such as network connections, file creation in startup directories, or DLL loading from non-standard paths.
Network security monitoring must include detection rules for DNS queries to known Out-of-Band Application Security Testing services including dnslog[.]ink, digimg[.]store, and similar platforms. These services are legitimate tools for security testing and penetration testing but are increasingly abused by threat actors for covert compromise confirmation without establishing full command-and-control channels. Organizations should block DNS resolution to known OAST platforms unless explicitly required for authorized security testing activities, and should investigate any unexpected queries as potential indicators of compromise.
T1566: Phishing
T1059: Command and Scripting Interpreter
T1204: User Execution
T1547: Boot or Logon Autostart Execution
T1574: Hijack Execution Flow
T1027: Obfuscated Files or Information
T1036: Masquerading
T1497: Virtualization/Sandbox Evasion
T1140: Deobfuscate/Decode Files or Information
T1082: System Information Discovery
T1057: Process Discovery
T1614: System Location Discovery
T1560: Archive Collected Data
T1071: Application Layer Protocol
T1105: Ingress Tool Transfer
T1102: Web Service
T1048: Exfiltration Over Alternative Protocol
T1041: Exfiltration Over C2 Channel
https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/
Get through updates and upcoming events, and more directly in your inbox