A new Lua-based malware, called LucidRook, is being used in phishing campaigns targeting non-governmental organizations and universities in Taiwan.
Cisco Talos researchers say the malware comes from a threat group internally tracked as UAT-10362, which they describe as a powerful adversary with “mature operational capabilities.”
LucidRook was spotted in an attack in October 2025 that relied on phishing emails carrying password-protected archives.
The researchers identified two infection chains, one using an LNK shortcut file that eventually delivered a malware dropper called LucidPawn, and an EXE-based chain that used a fake antivirus pretending to be Trend Micro Worry-Free Business Security Services.
LNK-based attacks use fake documents, such as government letters forged to appear to be from the Taiwanese government, to divert the user’s attention.
Source: Cisco Talos
Cisco Talos noted that LucidPawn decrypts and uses a legitimate exploit repurposed to emulate Microsoft Edge, as well as a malicious DLL (DismCore.dll) to sideload LucidRook.
LucidRook is notable for its modular design and built-in Lua environment, which allows it to retrieve and output second-level payloads as Lua bytecode.
This approach allows operators to review performance without fixing malware, while also limiting technician visibility. This eavesdropping is further enhanced by extensive encryption.
“Embedding a Lua interpreter effectively transforms a native DLL into a stable operating platform while allowing a threat actor to update or edit the behavior of individual targets or campaigns by updating the Lua bytecode payload in a simple and flexible development process,” explained Cisco Talos.
“This approach also improves operational safety, as the Lua stage can only be handled briefly and removed from C2 after delivery, and can prevent the reconstruction of an incident where the defenders only receive the loader without the Lua payload exported.”
Talos also notes that the binary is heavily obfuscated with all embedded strings, file extensions, internal identifiers, and C2 addresses, making any reverse engineering efforts difficult.
During its release, LucidRook performs a thorough system scan, collecting information such as user and computer names, installed applications, and running processes.
Data is encrypted using RSA, stored in a password-protected archive, and exported to attacker-controlled infrastructure via FTP.
While testing LucidRook, Talos researchers identified a related tool called “LucidKnight,” which may be used for retesting.
One notable feature of LucidKnight is its use of Gmail GMTP to extract aggregated data, suggesting that the UAT-10362 maintains a flexible toolkit to meet a variety of operational needs.
Cisco Talos concludes with moderate confidence that the LucidRook attack is part of a targeted intrusion campaign. However, they were unable to capture the unencryptable Lua bytecode downloaded by LucidRook, so the specific actions taken after infection are unknown.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
