New Lua Malware 'LucidRook' Targets Taiwan with Sophisticated Attacks

/MEDIUM
SCW red-teamtoolsmalware
New Lua Malware 'LucidRook' Targets Taiwan with Sophisticated Attacks

Pentesting News is highlighting a concerning development in the cyber threat landscape: the emergence of a new malware family dubbed ‘LucidRook.’ According to their reporting, which cites Cisco Talos’s findings, threat actors are employing spear-phishing campaigns specifically targeting Taiwanese non-governmental organizations (NGOs) and suspected universities. This operation, tracked internally as UAT-10362, utilizes a novel approach by embedding a Lua interpreter and Rust-compiled libraries within a DLL, enabling it to download and execute further Lua bytecode payloads. The initial stage, a dropper named ‘LucidPawn,’ is particularly crafty, featuring region-specific anti-analysis techniques and only activating in Traditional Chinese language environments, strongly suggesting a focus on Taiwan.

Pentesting News further details that the attackers have been observed using both malicious LNK and EXE files, often disguised as legitimate antivirus software, to initiate the infection chains. The threat actors are leveraging an Out-of-band Application Security Testing (OAST) service and have compromised FTP servers to establish their command-and-control (C2) infrastructure, demonstrating a degree of operational sophistication. This reliance on compromised or readily available infrastructure points to a capable adversary focused on stealth and efficiency.

Adding another layer to this operation, Pentesting News reports that hunting for LucidRook led to the discovery of ‘LucidKnight,’ a companion tool designed for reconnaissance. This tool exfiltrates system information discreetly, using Gmail for its communication channel. The presence of both LucidRook and LucidKnight suggests a multi-stage attack strategy, where LucidKnight might be used for initial target profiling before the more potent stager, LucidRook, is deployed. The combination of modular design, layered defenses, stealthy payload handling, and mature operational tradecraft makes UAT-10362 a notable threat actor.

What This Means For You

  • Security teams should prioritize enhancing detection capabilities for Lua-based payloads and be especially vigilant against spear-phishing attempts targeting Taiwanese organizations, given the specific regional focus and anti-analysis techniques employed by the LucidRook threat actor.

By Shimi's Cyber World Editorial

🛠 Recommended Tools

NordVPN Built-in threat protection blocks malware, trackers, and malicious sites.
Our Pick
Proton VPN NetShield blocks malware domains, ads, and trackers at DNS level.
Recommended
Surfshark CleanWeb blocks malware and ads at DNS level. Unlimited devices.
Great Value
🛡️
Stay ahead of the next attack Weekly threat briefs with severity rankings, MITRE mapping, and IOC exports — straight to your Telegram.
Get My Intel →

Found this interesting? Follow us to stay ahead.

Telegram Channel Follow Shimi Cohen Follow Shimi's Cyber World
Share
LinkedIn WhatsApp Reddit