Malware, Threat Intelligence

New Lua malware LucidRook targets Taiwanese NGOs

Malware analysis

A new threat cluster, UAT-10362, has been identified targeting Taiwanese non-governmental organizations and universities with spear-phishing campaigns to deploy a novel Lua-based malware named LucidRook. This sophisticated stager embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute further Lua bytecode payloads, as reported by The Hacker News.

The attacks, discovered in October 2025, utilize RAR or 7-Zip archives with lures to deliver a dropper called LucidPawn. This dropper then opens a decoy file and launches LucidRook, employing DLL side-loading for execution. Two infection chains exist: one uses a Windows Shortcut (LNK) file disguised as a PDF, which executes a PowerShell script to sideload LucidPawn. The second chain involves an executable masquerading as a Trend Micro antivirus program, which acts as a .NET dropper to launch LucidRook.

LucidRook itself is a heavily obfuscated 64-bit Windows DLL designed for stealth, collecting system information and exfiltrating it to an external server before receiving and executing encrypted Lua bytecode payloads. The threat actor uses Out-of-band Application Security Testing (OAST) services and compromised FTP servers for command-and-control infrastructure. A related DLL, LucidKnight, has also been observed, capable of exfiltrating system information via Gmail, suggesting a tiered toolkit for reconnaissance before deploying LucidRook.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds