The use of sophisticated malware in phishing campaigns remains a persistent and growing problem for organizations worldwide. One such threat, called LucidRook, has recently been identified targeting non-governmental organizations (NGOs) and universities in Taiwan. Cisco Talos researchers have attributed the campaign to a skilled threat actor group tracked as UAT-10362, flagging it as a calculated and technically advanced operation. The attacks were first observed in October 2025, when threat actors began distributing password-protected phishing emails designed to slip past standard security controls and reach high-value targets within Taiwanese academic and civil society institutions.
Lua Scripting Sets This Malware Apart From Others
LucidRook is distinct in its use of the Lua programming language — a language not traditionally associated with malware development. Lua is widely recognized for its lightweight footprint, simplicity, and scripting flexibility, making it a popular choice in game development and embedded systems. However, these same characteristics make it an attractive option for threat actors looking to operate in environments where Lua-based code receives less scrutiny from security tooling. By building LucidRook on top of this less-common language, UAT-10362 gains a degree of operational cover that more conventional malware frameworks do not offer. The choice reflects a deliberate effort to reduce detection rates and extend the malware’s useful lifespan in compromised environments.
UAT-10362 Is the Group Behind These Attacks
Cisco Talos researchers have directly linked this malware campaign to UAT-10362, a threat actor group recognized for its advanced capabilities and targeted intrusion methods. Through detailed technical analysis, Talos uncovered connections between UAT-10362’s activity patterns and multiple targeted compromises involving complex, multi-stage malware deployments. The group’s consistent focus on specific sectors and its use of custom tooling like LucidRook point to a well-resourced and operationally disciplined adversary rather than an opportunistic attacker.
Password-Protected Emails Are the Delivery Mechanism
A defining feature of these attacks is the use of password-protected emails as the primary delivery method. By locking email content behind a password, attackers effectively neutralize many automated scanning and filtering mechanisms that rely on inspecting attachments or embedded links. Recipients are provided the password separately, ensuring that only the intended target can access the malicious payload. This tactic significantly increases the probability that phishing emails successfully reach their destination without being flagged or quarantined.
- Password-protected emails sidestep automated scanning tools
- Recipients receive the password through a separate channel, limiting broad exposure
- The method bypasses many routine security defense mechanisms used by email providers
Taiwanese Universities and NGOs Face Real Consequences
The deliberate targeting of universities and NGOs in Taiwan points to a strategic intent behind the UAT-10362 campaign. These organizations often hold sensitive research data, policy communications, and international correspondence that would carry significant value to a motivated threat actor. The geographic focus on Taiwan also raises questions about potential geopolitical motivations driving the attacks. For institutions in these sectors, the emergence of LucidRook underscores the urgent need to reassess existing cybersecurity defenses, invest in threat detection capabilities capable of identifying unconventional scripting languages, and train staff to recognize sophisticated phishing attempts before damage is done.
