Back to News
Cyber Attack

LucidRook Malware Hits Taiwanese NGOs in Targeted Spear Phishing Campaigns

CyberSecurityWaala 2 days ago Apr 9, 2026
LucidRook Malware Hits Taiwanese NGOs in Targeted Spear Phishing Campaigns

A new malware campaign is targeting Taiwanese non-governmental organizations and likely some universities. Cisco Talos said it uncovered the activity and named the cluster UAT 10362. The payload is a Lua-based stager called LucidRook. Researcher Ashley Shen at Cisco Talos described the tool and its behavior in detail.

How the attack starts

The campaign arrives by spear-phishing. Talos found password-protected RAR and 7-Zip archives used as lures. The archive password was included in the email body in at least one observed case. Talos said the actor abused legitimate mail infrastructure to deliver links. That suggests careful planning and attention to operational security.

Two distinct infection chains

Talos described two ways the malware reaches a victim. One uses a Windows shortcut file labeled like a PDF to trick users. The other uses an executable disguised as an antivirus utility. In both cases the archive opens a decoy document. That gives victims a plausible reason not to suspect anything.

  • LNK-based chain The shortcut executes a PowerShell command that launches a legitimate Windows binary from the archive. That binary then sideloads a malicious DLL named LucidPawn. LucidPawn drops files, opens the decoy, and uses DLL sideloading again to run LucidRook.
  • EXE-based chain The executable pretends to be a Trend Micro cleanup tool. It is a simple .NET dropper. Once run, it drops a legitimate binary and the LucidRook stager, then places a startup link to maintain persistence.

What LucidRook does

Ashley Shen said LucidRook is a sophisticated stager. It embeds a Lua 5.4.8 interpreter and Rust-compiled libraries inside a 64-bit Windows DLL. That design turns the DLL into a flexible runtime. The stager downloads an encrypted Lua bytecode payload from FTP-based command-and-control. After decrypting the stage, it runs the bytecode inside the embedded Lua VM.

Talos noted two main functions. First, LucidRook gathers system information and exfiltrates it to attacker-controlled servers. Second, it fetches and runs the encrypted Lua stage. The Lua stage can be changed independently. That makes behavior updates easy for the attacker and harder for defenders to track.

Stealth and anti-analysis features

Talos found multiple measures meant to avoid detection. The dropper performs a language check and continues only on systems set to Traditional Chinese.

“This geofencing limits execution to the intended geographic target and avoids many analysis sandboxes,” Talos said. The DLL also uses heavy string obfuscation and layered runtime decryption. The result is a loader that is hard to reverse-engineer.

Companion tools and infrastructure

During hunting, Talos found another tool called LucidKnight. That DLL can collect system details and exfiltrate them by sending mail through Gmail to a temporary address. Talos said the presence of LucidKnight alongside LucidRook suggests a tiered toolkit where reconnaissance comes first and the stager is delivered later.

Talos also reported the actor used an out-of-band Application Security Testing service and compromised FTP servers for command-and-control. That reliance on public or compromised infrastructure is a common tactic to blend malicious traffic with legitimate services, Talos said.

What to watch for and next steps

Enterprises and NGOs in Taiwan should be vigilant. Talos recommends checking incoming archives, blocking use of living-off-the-land binaries where possible, and monitoring for suspicious DLL sideloading. Network defenders should also watch for unusual FTP connections and outgoing mail that may indicate data exfiltration.

“The multi-language modular design and layered anti-analysis features indicate a capable actor with mature tradecraft,” Talos said. This description from Cisco Talos highlights that the campaign is both targeted and adaptive.

Defenders must respond with precise detection and effective containment strategies. Understanding the full cyber kill chain framework can help organizations anticipate attacker behavior. Additionally, organizations should follow a structured approach using a detailed cybersecurity incident response guide to minimize impact and recover efficiently.

#LucidRook #CiscoTalos #Cybersecurity #SpearPhishing #Taiwan #Malware