New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations
Cisco Talos documented UAT-10362, a threat actor conducting spear-phishing campaigns against Taiwanese NGOs and universities delivering ‘LucidRook’ — a novel stager that embeds a Lua interpreter and Rust-compiled libraries inside a DLL to download and execute staged Lua bytecode payloads. Two infection chains were observed: one LNK-based leveraging the Pester PowerShell testing framework (LOLBAS) combined with DLL sideloading via DISM’s DismCore.dll, and one .NET EXE-based dropper masquerading as Trend Micro security software. The dropper component ‘LucidPawn’ includes region-specific anti-analysis checks, executing only in Traditional Chinese (Taiwan) language environments. A companion tool ‘LucidKnight’ performs reconnaissance by exfiltrating system info via Gmail, suggesting a tiered toolkit where profiling precedes full implant deployment. C2 infrastructure abuses OAST services and compromised FTP servers, with malware establishing persistence via Startup folder LNK files and renaming binaries to impersonate msedge.exe.