Back

LucidRook Malware Targets NGOs and Universities in Taiwan

Severity: High (Score: 61.2)

Sources: Gbhackers, Cybersecuritynews, Bleepingcomputer, Blog.Talosintelligence

Summary

A new Lua-based malware named LucidRook is being deployed in targeted attacks against non-governmental organizations and universities in Taiwan. The threat group UAT-10362 is believed to be behind these spear-phishing campaigns, which began in October 2025. Attackers utilize phishing emails containing password-protected archives and fake security tools to deliver the malware. LucidRook features a modular design with a built-in Lua execution environment, allowing for stealthy updates and execution of second-stage payloads. The malware collects system information and exfiltrates data using FTP and Gmail GMTP. Cisco Talos researchers have identified two infection chains involving a malware dropper called LucidPawn and a fake antivirus executable. The attacks are characterized by high levels of planning and technical sophistication, complicating reverse-engineering efforts. Current assessments indicate that the attacks are part of a targeted intrusion campaign. Key Points: • LucidRook malware targets NGOs and universities in Taiwan through spear-phishing. • The malware employs a modular design with a Lua execution environment for stealth. • Attackers use fake security tools and phishing emails to deliver the malware.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Uat-10362 (campaign)
  • Taiwan (country)
  • gmail.com (domain)
  • powerscrews.com (domain)
  • smtp.gmail.com (domain)
  • Government (industry)
  • LucidPawn (malware)
  • LucidRook (malware)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • FTP (platform)
  • Microsoft Edge (platform)
  • Trend Micro Worry-Free Business Security Services (platform)
  • Windows (platform)
  • Gmail (tool)
  • 7-Zip (tool)
  • DISM (tool)
  • Lua Interpreter (tool)
  • LucidKnight (tool)
  • 0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34 (sha256)
  • 11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae (sha256)
  • 166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d (sha256)
  • 6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9 (sha256)
  • 7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed