A Stealthy New Threat Emerges in Taiwan
Researchers at Cisco Talos have uncovered a previously unknown malware strain called LucidRook, built on the Lua scripting language and deployed in highly targeted spear-phishing attacks against non-governmental organizations (NGOs) and universities in Taiwan. The threat group behind the campaign, tracked internally by Cisco Talos as UAT-10362, is described as a capable adversary with what researchers call "mature operational tradecraft."
The attacks were first observed in October 2025, and the campaign's sophistication — from layered infection chains to obfuscated binaries and modular second-stage payloads — signals a well-resourced and deliberate operator.
Two Distinct Infection Chains
Cisco Talos identified two separate infection pathways used by UAT-10362 to deliver LucidRook onto victim machines, both initiated through phishing emails containing password-protected archives.
LNK-Based Chain
The first infection chain relies on an LNK shortcut file embedded within the archive. When executed, this shortcut ultimately delivers a malware dropper named LucidPawn. To keep victims distracted and unsuspecting, the attackers include decoy documents — specifically government letters crafted to appear as though they originate from the Taiwanese government.
Once LucidPawn executes, it decrypts and deploys a legitimate executable that has been renamed to impersonate Microsoft Edge. Alongside this, a malicious DLL file named DismCore.dll is dropped to facilitate DLL sideloading, ultimately loading LucidRook into memory.
EXE-Based Chain
The second infection vector uses a standalone executable that masquerades as a legitimate security product — specifically, a fake antivirus binary impersonating Trend Micro Worry-Free Business Security Services. This approach exploits the inherent trust many users place in recognized security software names.
What Makes LucidRook Distinctive
LucidRook's architecture sets it apart from many conventional malware families. Its two most notable characteristics are its modular design and its built-in Lua execution environment.
Rather than hardcoding its capabilities, LucidRook retrieves and executes second-stage payloads delivered as Lua bytecode from attacker-controlled command-and-control (C2) infrastructure. This design grants the threat actors the ability to update or entirely swap out the malware's functionality without modifying the core binary.
"Embedding the Lua interpreter effectively turns the native DLL into a stable execution platform while allowing the threat actor to update or tailor behavior for each target or campaign by updating the Lua bytecode payload with a lighter and more flexible development process," — Cisco Talos
Cisco Talos further noted that the Lua-based approach significantly improves operational security: the Lua payload can be hosted briefly on the C2 server and removed immediately after delivery. This means that if defenders recover only the loader component, they may be unable to reconstruct what actions occurred post-infection.
Obfuscation and Anti-Forensics
Beyond its architectural flexibility, LucidRook is described as being heavily obfuscated across multiple dimensions, including embedded strings, file extensions, internal identifiers, and C2 server addresses. This pervasive obfuscation significantly complicates reverse-engineering efforts and limits forensic analysis.
Talos researchers emphasize that this level of code obfuscation — combined with the transient nature of the Lua bytecode payloads — represents a deliberate effort to reduce the malware's forensic footprint and hinder post-incident reconstruction by defenders.
Reconnaissance and Data Exfiltration
During execution, LucidRook conducts system reconnaissance, gathering a range of information from infected hosts, including:
- User and computer names
- Lists of installed applications
- Currently running processes
Collected data is encrypted using RSA encryption, packed into password-protected archives, and then exfiltrated to attacker-controlled infrastructure via FTP.
LucidKnight: A Related Reconnaissance Tool
While analyzing LucidRook, Talos researchers discovered a related tool designated LucidKnight, which is believed to serve a reconnaissance function within the UAT-10362 toolkit. LucidKnight is particularly notable for its abuse of Gmail GMTP as an exfiltration channel — a technique that helps blend malicious traffic with legitimate web activity and avoids detection by traditional network monitoring tools.
The existence of both LucidRook and LucidKnight suggests that UAT-10362 maintains a flexible, multi-tool arsenal that can be adapted to the specific requirements of individual targets and operations.
Attribution and Remaining Unknowns
Cisco Talos concludes with medium confidence that the LucidRook attacks form part of a deliberate, targeted intrusion campaign rather than opportunistic activity. However, critical gaps remain in the researchers' understanding of the full scope of the operation.
Notably, the Talos team was unable to capture a decryptable copy of the Lua bytecode fetched by LucidRook during its execution. As a result, the specific post-infection actions carried out on compromised systems — whether data theft, espionage, persistence establishment, or lateral movement — have not yet been confirmed.
The targeting of NGOs and academic institutions in Taiwan aligns with patterns observed in state-aligned espionage campaigns, though Cisco Talos has not publicly attributed UAT-10362 to any specific nation-state at this time. Organizations in the affected sectors are advised to scrutinize inbound email attachments, particularly password-protected archives, and to monitor for unusual DLL sideloading activity on endpoints.
Source: BleepingComputer