New Lua-based Malware 'LucidRook' Targeting Taiwanese Organizations

New Lua-based Malware ‘LucidRook’ Observed in Targeted Attacks 🚨

Cisco Talos has uncovered a cluster of activity tracked as UAT-10362, conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, ‘LucidRook.’ This sophisticated stager embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads.

The dropper, ‘LucidPawn,’ employs region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan. Talos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and EXE files disguised as antivirus software. In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure.

Discovery of LucidKnight 🕵️‍♂️

Through hunting for LucidRook, Talos discovered ‘LucidKnight,’ a companion reconnaissance tool that exfiltrates system information via Gmail. Its presence alongside LucidRook suggests the actor operates a tiered toolkit, potentially using LucidKnight to profile targets before escalating to full stager deployment.

Infection Chains and Techniques 🔗

Talos identified two infection chains used to deploy LucidRook. Both were multi-stage and began with either an LNK or an EXE launcher. The LNK-based infection chain uses an initial dropper tracked as LucidPawn and leverages living-off-the-land binaries and scripts (LOLBAS) to evade detection. This chain abuses the legitimate Windows binary index.exe to sideload LucidPawn via DLL search order hijacking.

Persistence is established via a LNK file in the Startup folder that launches msedge.exe, after impersonating the Microsoft Edge browser. The EXE-based infection chain was observed in samples uploaded to public malware repositories in December 2025, distributed as password-protected 7-Zip archives masquerading as Trend Micro™ Worry-Free™ Business Security Services.

Conclusion 🔍

LucidRook is a sophisticated 64-bit Windows DLL stager consisting of a Lua interpreter, embedded Rust-compiled libraries, and Lua bytecode payload. The malware’s core workflow involves host reconnaissance, collecting system information that is encrypted, packaged, and exfiltrated to the C2 infrastructure. It retrieves an encrypted, staged Lua bytecode payload from the C2 server, which is subsequently decrypted and executed on the compromised host.

For more details, check out the full article: Read full article