LucidRook malware hits Taiwan NGOs and universities via Lua-powered loader

Cisco Talos has documented LucidRook, a modular malware family deployed by UAT-10362 against non-governmental organizations and universities in Taiwan. October 2025 spear-phishing waves delivered password-protected archives via two infection chains: an LNK shortcut path that drops a loader called LucidPawn behind decoy documents posing as Taiwanese government letters, and an EXE chain masquerading as Trend Micro Worry-Free Business Security Services. LucidPawn ultimately sideloads a malicious DismCore.dll alongside a renamed legitimate Microsoft Edge binary.

The defining trait of LucidRook is an embedded Lua interpreter that fetches and executes second-stage Lua bytecode from C2. That separation lets operators retool behavior per target without rebuilding the loader, pull payloads down only briefly, and starve incident responders of the actual post-infection logic when only the loader is recovered. Heavy obfuscation across strings, identifiers, and C2 addresses further hampers reverse engineering. Reconnaissance output — usernames, hostnames, installed apps, running processes — is RSA-encrypted, archived with a password, and exfiltrated over FTP.

A companion tool, LucidKnight, abuses Gmail GMTP for exfiltration, indicating the actor maintains a flexible toolkit. Talos rates this a targeted campaign with medium confidence but could not retrieve a decryptable Lua payload, leaving the specific post-compromise objectives unknown.