New ‘LucidRook’ malware used in targeted attacks on NGOs, universities

NEW ‘LUCIDROOK’ MALWARE USED IN TARGETED ATTACKS ON NGOS, UNIVERSITIES

1. OVERVIEW

• A newly identified Lua-based malware family named LucidRook is being deployed in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan.
• Attributed by researchers to a threat group tracked internally as UAT-10362, described as a capable adversary with mature operational tradecraft.
• LucidRook campaigns were first observed in October 2025, with attackers using password-protected archives in phishing emails.

1. ATTACK CAMPAIGN CONTEXT

• Target: NGOs and universities in Taiwan.
• Initial delivery: Phishing emails containing password-protected archives.
• Campaign characteristics: Modular design, flexible tooling, and a focus on stealth to hinder attribution and post-compromise analysis.

1. INFECTION CHAINS

• There are two identified infection paths:
• 3.1 LNK-BASED CHAIN
  • Uses decoy documents to lure victims, including government-letter aesthetics that appear to originate from the Taiwanese government.
  • Delivers a malware dropper called LucidPawn.
  • LucidPawn decrypts and deploys a legitimate executable renamed to mimic Microsoft Edge.
  • A malicious DLL (DismCore.dll) is loaded to sideload LucidRook.
• 3.2 EXE-BASED CHAIN
  • Employs a fake antivirus executable impersonating Trend Micro Worry-Free Business Security Services.
  • This fake security app acts as the initial foothold and leads to LucidRook deployment.

1. LUCIDPAWN AND SIDELoadING MECHANICS

• LucidPawn behavior:
• Decrypts and launches a legitimate-looking binary renamed to resemble a legitimate browser.
• Works in tandem with a malicious DLL (DismCore.dll) to enable sideloading of LucidRook.
• Sideloading concept:
• LucidRook runs as a secondary payload loaded by a trusted-looking process, aiding in evading execution traps.
• This approach complicates static analysis and makes reverse engineering more challenging.

1. LUCIDROOK ARCHITECTURE AND CORE CAPABILITIES

• Modular design with a built-in Lua execution environment:
• LucidRook can retrieve and execute second-stage payloads as Lua bytecode.
• The architecture enables operators to update or tailor functionality for each target by updating the Lua payload alone.
• Operational security and stealth:
• The core malware is heavily obfuscated, including strings, file extensions, internal identifiers, and command-and-control addresses.
• Lua-based payloads allow for lighter and more flexible development cycles, reducing the need to modify the main binary.
• The Lua stage can be hosted briefly and removed from the C2 after delivery, hindering post-incident reconstruction when defenders only recover the loader.
• Execution platform:
• The embedded Lua interpreter effectively turns the loaded DLL into a persistent execution environment for the second-stage payload.

1. RECONNAISSANCE AND DATA HANDLING

• System reconnaissance:
• LucidRook collects host information such as user names, computer names, installed applications, and running processes.
• Data protection and exfiltration:
• Collected data is encrypted using RSA.
• Data is stored in password-protected archives prior to exfiltration.
• Exfiltration is performed to attacker-controlled infrastructure via FTP.

1. RELATED TOOLS AND FLEXIBLE TOOLKIT

• LucidKnight:
• A reconnaissance-oriented tool identified during analysis, likely used in tandem with LucidRook.
• Gmail GMTP abuse:
• LucidKnight demonstrates abuse of Gmail GMTP for exfiltrating collected data, indicating that UAT-10362 maintains a versatile toolkit to suit different operational needs.

1. CAMPAIGN ATTRIBUTION AND LIMITATIONS

• Confidence level:
• Cisco Talos assigns a medium level of confidence that LucidRook attacks constitute a targeted intrusion campaign.
• Data gaps:
• Researchers were unable to obtain a decryptable Lua bytecode payload captured by LucidRook, leaving some post-infection actions and objectives unknown.

1. VISUAL AND SUPPLEMENTARY MATERIALS REFERENCED

• LNK-based infection chain illustration:
• A visual depiction shows the decoy document approach leading to LucidPawn deployment and subsequent components.
• Supplemental items:
• References to a whitepaper and related defensive material discussing validation surfaces and automated pentesting context are noted, illustrating broader security testing concepts and methodologies.

1. TECHNICAL SUMMARY TAKEAWAYS

• LucidRook represents a Lua-driven, modular malware framework with a focus on stealth and rapid payload evolution.
• The combination of a dropper (LucidPawn), a sideloaded core, and a Lua-based second stage enables flexible targeting and timely updates without reworking the main binary.
• Obfuscation and encrypted exfiltration hinder straightforward analysis, while reconnaissance data is exfiltrated through conventional channels (FTP) or via adaptable methods such as Gmail-based transfers.
• The use of decoy documents and impersonation of legitimate security software indicates a layered social and technical deception strategy.
• The observed activity underscores the importance of comprehensive phishing defenses, programmatic detection of LNK and DLL sideloading techniques, and monitoring for Lua-based payload behavior in enterprise environments.

1. IMPLICATIONS FOR DEFENSE AND MONITORING (CONCISE NOTE)

• Strengthen phishing resistance, especially for documents and archived attachments with password protection.
• Monitor for LNK shortcuts and suspicious sideloading activity, including DLLs loaded by legitimate processes compromised to host malicious payloads.
• Detect Lua engine usage within Windows binaries and atypical second-stage payloads delivered via Lua bytecode.
• Implement robust data exfiltration controls and monitor for anomalous FTP activity or Gmail-based data transfers.
• Emphasize endpoint detection and response capabilities that can identify modular, multi-stage intrusion frameworks and obfuscated payloads.