New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook. ”  LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads.

 The dropper “LucidPawn” uses region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan.   Talos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and EXE files disguised as antivirus software.  In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure.

  Through hunting for LucidRook, we discovered “LucidKnight,” a companion reconnaissance tool that exfiltrates system information via Gmail. Its presence alongside LucidRook suggests the actor operatesa tiered toolkit, potentially using LucidKnight to profile targets before escalating to full stager deployment.   The multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft.

Spear-phishing campaigns against Taiwanese NGOs and universities  Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities. The email contained a shortened URL that leads to the download of a password protected and encrypted RAR archive. The decryption password was included in the email body.

Based on this email and the collected samples, Talos observed two distinct infection chains originating from the delivered archives.   Decoy files  In the infection chain, the threat actor deployed a dropper that opens the decoy documents included in the bundle. One example decoy file is a letter issued by the Taiwanese government to universities in Taiwan. This document is a formal directive reminding national universities that teachers with administrative roles are legally required to obtain prior approval and file attendance records before traveling to China.