LucidRook Malware Targets Taiwanese NGOs and Universities

A new Lua-based malware dubbed ‘LucidRook’ has surfaced, posing a significant threat through targeted spear-phishing campaigns. Cyber Threat Intelligence reports that the malware is specifically aimed at non-governmental organizations and academic institutions in Taiwan. Cisco Talos researchers, who identified the threat, attribute LucidRook to a sophisticated adversary group internally designated as UAT-10362, noting their advanced operational capabilities.

Initial attacks observed in October 2025 involved phishing emails containing password-protected archives. Cyber Threat Intelligence details two distinct infection vectors. One chain utilizes an LNK shortcut file to deploy a malware dropper named LucidPawn. The second chain employs a fake antivirus executable, masquerading as a legitimate Trend Micro Worry-Free Business Security Services product, to deliver the payload. The LNK-based approach further incorporates deceptive documents, such as fabricated government letters from the Taiwanese authorities, to mislead recipients and mask the malicious intent.

Upon successful execution, LucidPawn proceeds to decrypt and launch a legitimate executable, disguised to appear as Microsoft Edge. This is coupled with a malicious DLL (DismCore.dll) used for sideloading LucidRook. The malware’s modular architecture and integrated Lua execution environment are key features, enabling it to fetch and execute second-stage payloads as Lua bytecode. This design allows threat actors to easily update malware functionalities and customize campaign behavior without altering the core program, while simultaneously complicating forensic analysis through extensive code obfuscation.