A sophisticated Lua-based malware called LucidRook has been deployed in spear-phishing campaigns against non-governmental organizations and universities in Taiwan, according to Cisco Talos. The threat actor tracked as UAT-10362 used phishing emails with password-protected archives in October 2025, employing two infection chains involving LNK shortcut files and fake antivirus executables impersonating Trend Micro. The LNK-based chain delivered a dropper named LucidPawn, which decrypts and deploys a legitimate executable renamed to mimic Microsoft Edge along with a malicious DLL for sideloading LucidRook.
The malware's notable feature is its built-in Lua execution environment, allowing operators to retrieve and execute second-stage payloads as Lua bytecode without modifying the core malware. This modular design enables flexible updates per target while limiting forensic visibility, as the Lua stage can be hosted briefly and removed from command-and-control servers after delivery. The binary is heavily obfuscated across embedded strings, file extensions, and C2 addresses to complicate reverse engineering.
LucidRook performs system reconnaissance by collecting user and computer names, installed applications, and running processes, encrypting the data with RSA before exfiltration via FTP. Researchers identified a related tool named LucidKnight that abuses Gmail's SMTP for data exfiltration, indicating a flexible toolkit. While Talos attributes the campaign to a capable adversary with mature tradecraft, they could not capture decryptable Lua bytecode, leaving post-infection actions unknown. The researchers assess with medium confidence that these are targeted intrusions rather than broad opportunistic attacks.
Read more...