Lua-Based LucidRook Malware Hits Taiwanese NGOs via Fake Antivirus Lures

Cisco Talos has uncovered a threat cluster tracked as UAT-10362 running spear-phishing operations against Taiwanese NGOs and academic institutions. The campaigns deliver a novel Lua-based stager called LucidRook, packaged inside malicious LNK and EXE files disguised as antivirus software. A dropper component named LucidPawn performs region-specific anti-analysis checks, executing only on systems configured for Traditional Chinese - a deliberate filter to ensure payloads land exclusively in Taiwanese environments.

LucidRook embeds a Lua 5.4.8 interpreter alongside Rust-compiled libraries within a DLL. Once active, it fingerprints the host, exfiltrates system data to external infrastructure, then pulls down encrypted Lua bytecode for in-memory execution. Researchers also identified a companion reconnaissance tool called LucidKnight that exfiltrates system profiles through Gmail, suggesting a tiered operational model where targets are profiled before the full stager is deployed.

The multi-language modular architecture, layered evasion techniques, and reliance on compromised or public infrastructure point to a capable operator with mature tradecraft. While no formal nation-state attribution has been made, the tight geographic targeting of Taiwanese civil society organizations fits a pattern consistent with cross-strait espionage priorities.