![\"New](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/09\/0_rook.jpg\")
<\/p>\n<\/p>\n
A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan.<\/p>\n
Cisco Talos researchers attribute the malware to a threat group tracked internally as UAT-10362, who they describe as a capable adversary “with mature operational tradecraft.”<\/p>\n
LucidRook was observed in attacks in October 2025 that relied on phishing emails carrying password-protected archives.<\/p>\n
![\"New](\"https:\/\/www.bleepstatic.com\/c\/a\/as-tour-the-platform-970-x250.jpg\")
<\/a> <\/div>\nThe researchers identified two infection chains, one using an LNK shortcut file that ultimately delivered a malware dropper called LucidPawn, and an EXE-based chain that leveraged a fake antivirus executable impersonating Trend Micro Worry-Free Business Security Services.<\/p>\n
The LNK-based attack employs decoy documents, such as government letters crafted to appear as if they originate from the Taiwanese government, to divert the user’s attention.<\/p>\n
![\"New](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/infection-chain.jpg\")
Cisco Talos observed that LucidPawn decrypts and deploys a legitimate executable renamed to mimic Microsoft Edge, along with a malicious DLL (DismCore.dll) for sideloading LucidRook.<\/p>\n
LucidRook is notable for its modular design and built-in Lua execution environment, which allows it to retrieve and execute second-stage payloads as Lua bytecode.<\/p>\n
This approach enables operators to update functionality without modifying the core malware, while also limiting forensic visibility. This stealth is further increased by extensive obfuscation of the code.<\/p>\n
“Embedding the Lua interpreter effectively turns the native DLL into a stable execution platform while allowing the threat actor to update or tailor behavior for each target or campaigns by updating the Lua bytecode payload with a lighter and more flexible development process,” Cisco Talos explains<\/a>.<\/p>\n “This approach also improves operational security, since the Lua stage can be hosted only briefly and removed from C2 after delivery, and it can hinder post-incident reconstruction when defenders recover only the loader without the externally delivered Lua payload.”<\/p>\n Talos also notes that the binary is heavily obfuscated across embedded strings, file extensions, internal identifiers, and C2 addresses, complicating any reverse-engineering efforts.<\/p>\n During its execution, LucidRook performs system reconnaissance, collecting information such as user and computer names, installed applications, and running processes.<\/p>\n The data is encrypted using RSA, stored in password-protected archives, and exfiltrated to attacker-controlled infrastructure via FTP.<\/p>\n While examining LucidRook, Talos researchers identified a related tool named “LucidKnight,” which is likely used for reconnaissance.<\/p>\n One notable characteristic of LucidKnight is its abuse of Gmail GMTP to exfiltrate collected data, suggesting that UAT-10362 maintains a flexible toolkit to meet varying operational needs.<\/p>\n Cisco Talos concludes with medium confidence that the LucidRook attacks are part of a targeted intrusion campaign. However, they were unable to capture a decryptable Lua bytecode fetched by LucidRook, so the specific actions taken post-infection aren’t known.<\/p>\n