New LucidRook Malware Used in Targeted Attacks on NGOs and Universities in Taiwan

What happened

A new Lua-based malware family called LucidRook has been used in spear-phishing attacks targeting non-governmental organizations and universities in Taiwan. Cisco Talos attributed the activity to a threat group it tracks as UAT-10362 and said the attacks were observed in October 2025. The campaign used phishing emails carrying password-protected archives and followed two delivery chains. One used an LNK shortcut file and a malware dropper called LucidPawn, while the other used a fake antivirus executable impersonating Trend Micro Worry-Free Business Security Services. Cisco Talos said LucidRook is designed with a modular architecture and a built-in Lua execution environment that lets operators fetch and run second-stage payloads as Lua bytecode, giving them a flexible way to update malware behavior while limiting forensic visibility. 

Who is affected

The direct exposure affects NGOs and universities in Taiwan targeted through the phishing campaign. The malware also appears built for targeted intrusions rather than broad mass infection, and Cisco Talos said the operators used decoy documents crafted to look like official communications from the Taiwanese government. 

Why CISOs should care

This incident matters because the malware is designed for stealth, modular updates, and targeted post-compromise activity. LucidRook performs system reconnaissance, collects host and software information, encrypts the data with RSA, stores it in password-protected archives, and exfiltrates it to attacker-controlled infrastructure. The campaign also points to a flexible intrusion toolkit, with Cisco Talos identifying a related tool called LucidKnight that appears to support reconnaissance and uses Gmail GMTP for data exfiltration. 

3 practical actions

1. Hunt for both delivery chains: Review email security and endpoint telemetry for password-protected archives, suspicious LNK files, fake antivirus executables, and DLL sideloading behavior tied to files such as DismCore.dll. 
2. Treat Lua-enabled loaders as flexible malware platforms: Escalate incidents involving malware with embedded interpreters because the Lua-based execution model allows attackers to change post-infection behavior without replacing the core loader. 
3. Scope reconnaissance and staged exfiltration early: Investigate for system inventory collection, RSA-encrypted archives, FTP exfiltration, and short-lived second-stage retrieval infrastructure, since those behaviors were part of the observed activity. 

For more news about targeted malware campaigns and evolving attacker tradecraft, click Malware to read more.