New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Cisco Talos identified a sophisticated campaign tracked as UAT-10362 targeting Taiwanese NGOs and universities via spear-phishing. The attack delivers a new Lua-based malware family named LucidRook, utilizing a dropper called LucidPawn and a reconnaissance tool named LucidKnight. Infection chains leverage living-off-the-land binaries (LOLBAS) and DLL sideloading techniques to evade detection. The malware features region-specific anti-analysis checks, executing only in Traditional Chinese environments. Command-and-control infrastructure relies on compromised FTP servers and OAST services. LucidKnight exfiltrates system information via Gmail. This tiered toolkit indicates mature operational tradecraft aimed at espionage or data theft. Organizations should enhance email filtering, monitor for suspicious PowerShell activity, and verify executable signatures to mitigate risks associated with this targeted threat cluster.

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”

Cisco Talos identified a sophisticated campaign tracked as UAT-10362 targeting Taiwanese NGOs and universities via spear-phishing. The attack delivers a new Lua-based malware family named LucidRook, utilizing a dropper called LucidPawn and a reconnaissance tool named LucidKnight. Infection chains leverage living-off-the-land binaries (LOLBAS) and DLL sideloading techniques to evade detection. The malware features region-specific anti-analysis checks, executing only in Traditional Chinese environments. Command-and-control infrastructure relies on compromised FTP servers and OAST services. LucidKnight exfiltrates system information via Gmail. This tiered toolkit indicates mature operational tradecraft aimed at espionage or data theft. Organizations should enhance email filtering, monitor for suspicious PowerShell activity, and verify executable signatures to mitigate risks associated with this targeted threat cluster. Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The dropper “LucidPawn” uses region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan. Talos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and EXE files disguised as antivirus software. In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure. Through hunting for LucidRook, we discovered “LucidKnight,” a companion reconnaissance tool that exfiltrates system information via Gmail. Its presence alongside LucidRook suggests the actor operates a tiered toolkit, potentially using LucidKnight to profile targets before escalating to full stager deployment. The multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft. Spear-phishing campaigns against Taiwanese NGOs and universities Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities. The email contained a shortened URL that leads to the download of a password protected and encrypted RAR archive. The decryption password was included in the email body. Based on this email and the collected samples, Talos observed two distinct infection chains originating from the delivered archives. Decoy files In the infection chain, the threat actor deployed a dropper that opens the decoy documents included in the bundle. One example decoy file is a letter issued by the Taiwanese government to universities in Taiwan. This document is a formal directive reminding national universities that teachers with administrative roles are legally required to obtain prior approval and file attendance records before traveling to China. An official version of this document can be found on the Taiwanese government website. Figure 1. Decoy file. Two infection chains Talos identified two infection chains used to deploy LucidRook. Both were multi-stage and began with either an LNK or an EXE launcher. The LNK infection chain uses an initial dropper Talos tracks as LucidPawn. LNK-based infection chain Figure 2. LNK-based infection chain. The LNK-based infection chain was observed in both the sample targeting Taiwanese NGOs (which were distributed via spear-phishing emails) and the sample we suspect targeted Taiwanese universities. Both samples were delivered as an archive, containing an LNK file with a document file with substituted PDF file icon, as well as a hidden directory in the folder, as shown in Figure 3. Figure 3. LNK with substituted icon in the archive. The hidden directory contains four layers of nested folders designed to evade analysis. The fourth-level directory contains the LucidPawn dropper sample ( DismCore.dll ), a legitimate EXE file ( install.exe ), and a decoy file. An example folder structure is shown in Figure 4. Figure 4. File structure of the malicious archive. When the user clicks the LNK file, it executes the PowerShell testing framework script C:\Program...