[{"data":1,"prerenderedAt":175},["ShallowReactive",2],{"article-slug-new-lucidrook-lua-based-malware-targets-taiwanese-organizations":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":38,"sources":39,"events":51,"mitre_techniques":52,"mitre_mitigations":79,"d3fend_countermeasures":124,"iocs":135,"cyber_observables":136,"tags":158,"extract_datetime":164,"article_type":165,"impact_scope":166,"pub_date":43,"reading_time_minutes":174,"createdAt":164,"updatedAt":164},"e5575f1a-b11d-419f-aa68-6088d3ec98a8","new-lucidrook-lua-based-malware-targets-taiwanese-organizations","New 'LucidRook' Malware Uses Lua and Rust in Targeted Attacks on Taiwan","Cisco Talos Uncovers 'LucidRook' Malware Targeting Taiwanese NGOs and Universities via Spear-Phishing","Security researchers at Cisco Talos have discovered a new, sophisticated malware family named 'LucidRook' used in targeted spear-phishing campaigns. Attributed to a threat cluster known as UAT-10362, the attacks primarily target non-governmental organizations (NGOs) and universities in Taiwan. LucidRook is a complex stager delivered as a DLL that embeds a Lua interpreter and Rust-compiled libraries. It uses a dropper component, 'LucidPawn,' which performs an anti-analysis check to ensure it only runs on systems configured for the Traditional Chinese language. The malware downloads and executes Lua bytecode payloads from a C2 server, and is accompanied by a reconnaissance tool called 'LucidKnight' used for initial system profiling.","## Executive Summary\n\nResearchers from **[Cisco Talos](https://www.talosintelligence.com/)** have identified a new and sophisticated malware suite used in highly targeted attacks against organizations in Taiwan. The malware, dubbed **LucidRook**, is a stager that leverages an embedded Lua interpreter and Rust-based components to execute payloads fetched from a command-and-control (C2) server. The campaign, attributed to a threat cluster tracked as **UAT-10362**, has been observed targeting non-governmental organizations (NGOs) and is suspected of also targeting universities. The malware employs several advanced anti-analysis and evasion techniques, including a region-specific check that restricts its execution to systems using the Traditional Chinese language pack, strongly indicating a focus on Taiwanese victims. The operation also utilizes a reconnaissance tool named **LucidKnight**, suggesting a multi-stage attack methodology where targets are profiled before the main payload is deployed.\n\n---\n\n## Threat Overview\n\nThe threat actor **UAT-10362** is conducting a spear-phishing campaign to deliver the **LucidRook** malware. The campaign demonstrates a clear operational focus on entities within Taiwan. The infection chain is initiated through malicious attachments, such as archived LNK files disguised as PDFs or executables masquerading as antivirus software. The primary payload, **LucidRook**, is a DLL that acts as a stager. Its main purpose is to establish persistence and download subsequent Lua bytecode payloads from a C2 server for execution. This modular approach allows the attackers to flexibly deploy different capabilities depending on the target environment. The use of a companion reconnaissance tool, **LucidKnight**, for initial system information gathering points to a calculated and patient adversary that carefully selects its targets.\n\n---\n\n## Technical Analysis\n\n**LucidRook** is notable for its combination of technologies and evasion techniques:\n\n- **Infection Vectors:** The malware is delivered via two main chains:\n    1.  A malicious LNK file within an archive, which leverages nested folders to evade detection and executes the malware.\n    2.  An executable disguised as legitimate software (e.g., antivirus).\n- **Stager Components:** The core **LucidRook** DLL embeds a Lua 5.1 interpreter and Rust-compiled libraries. This combination is uncommon and can hinder analysis by security tools not equipped to inspect Lua bytecode.\n- **Dropper and Evasion:** A dropper component, named **LucidPawn**, is responsible for initial execution. It performs a critical anti-analysis check by querying the system's language settings. The malware will only proceed if the language is Traditional Chinese (`zh-TW`), effectively geo-fencing its operations to Taiwan.\n- **Obfuscation:** The malware uses complex arithmetic operations to dynamically calculate memory addresses for encrypted strings. The decryption keys are reconstructed at runtime, making static analysis and string extraction difficult.\n- **C2 Communication:** The attackers abused a compromised FTP server and an Out-of-band Application Security Testing (OAST) service for their C2 infrastructure, complicating takedown efforts.\n\n**MITRE ATT&CK Techniques:**\n- [`T1589.002 - Email Addresses`](https://attack.mitre.org/techniques/T1589/002/): Used for spear-phishing campaigns.\n- [`T1204.002 - Malicious File`](https://attack.mitre.org/techniques/T1204/002/): Delivery via malicious LNK and EXE files.\n- [`T1027 - Obfuscated Files or Information`](https://attack.mitre.org/techniques/T1027/): Use of encrypted strings and dynamic key reconstruction.\n- [`T1497.003 - Time Based Evasion`](https://attack.mitre.org/techniques/T1497/003/): The language check acts as a form of environmental keying to evade sandboxes.\n- [`T1105 - Ingress Tool Transfer`](https://attack.mitre.org/techniques/T1105/): Downloading staged Lua payloads from the C2 server.\n- [`T1059.007 - Dynamic-link Library Injection`](https://attack.mitre.org/techniques/T1059/007/): The core payload is a DLL.\n\n---\n\n## Impact Assessment\n\nThe primary goal of this campaign appears to be espionage and intelligence gathering. By targeting NGOs and universities, the threat actor **UAT-10362** likely seeks to obtain sensitive information related to political advocacy, research, or individuals associated with these organizations. A successful compromise could lead to:\n\n- **Data Exfiltration:** Theft of confidential documents, research data, and personal information of staff and students.\n- **Long-Term Persistence:** The stager architecture allows the attacker to maintain a foothold within the target network for extended periods, deploying new tools as needed.\n- **Surveillance:** The malware could be used to monitor communications, capture keystrokes, and exfiltrate data over time.\n\nThe focus on a specific geographic region and victim profile suggests a state-nexus, although Talos has not made a formal attribution to a specific country.\n\n---\n\n## Cyber Observables for Detection\n\nSecurity teams can hunt for this activity using the following observables:\n\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| process_name | `rundll32.exe` | The LucidPawn dropper is often executed via `rundll32.exe`. | Monitor for `rundll32.exe` processes spawning from suspicious parent processes like `explorer.exe` (from a clicked LNK) or email clients. | medium |\n| api_endpoint | `GetUserDefaultLangID` | API call used by LucidPawn to check the system's language. | API monitoring or dynamic analysis can flag processes that call this function and then terminate if the language is not Traditional Chinese. | high |\n| file_name | `*.lua` | The malware downloads and executes Lua script files. | Monitor for the creation or execution of `.lua` files in unusual locations, such as user temp directories. | medium |\n| network_traffic_pattern | `FTP` | The C2 infrastructure was observed using a compromised FTP server. | Monitor for anomalous FTP traffic from endpoints to unknown or untrusted servers. | low |\n| file_name | `LucidRook.dll` | The name of the primary malware component. | Search for this filename on endpoints, though attackers will likely rename it. | medium |\n\n---\n\n## Detection & Response\n\n**Detection:**\n\n1.  **Endpoint Detection and Response (EDR):** Deploy EDR solutions capable of monitoring process execution chains. Look for suspicious `rundll32.exe` activity and monitor for API calls like `GetUserDefaultLangID` followed by network connections.\n2.  **Script Block Logging:** Enable PowerShell and other script block logging to identify the execution of suspicious commands originating from LNK files.\n3.  **File Analysis:** Use sandboxing and dynamic analysis ([`D3-DA - Dynamic Analysis`](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis)) to inspect suspicious files. Configure sandbox environments with a Traditional Chinese language pack to trigger the malware's full execution path.\n\n**Response:**\n\n- Isolate any machine confirmed to be infected to prevent lateral movement.\n- Block all network connections to the identified C2 domains and IP addresses.\n- Conduct a full forensic analysis of the affected endpoint to identify all downloaded payloads and executed commands.\n- Review email logs for other potential spear-phishing emails from the same campaign.\n\n---\n\n## Mitigation\n\n- **User Training:** [`M1017 - User Training`](https://attack.mitre.org/mitigations/M1017/): Train users to be suspicious of unsolicited emails with attachments, especially archives (`.zip`, `.rar`) containing LNK files or executables.\n- **Email Security:** Deploy advanced email security gateways that can scan attachments for malicious content and block known malicious domains.\n- **Execution Prevention:** [`M1038 - Execution Prevention`](https://attack.mitre.org/mitigations/M1038/): Configure application control policies to restrict the execution of unsigned or untrusted DLLs and executables from user-writable locations like `AppData` or `Temp`.\n- **Attack Surface Reduction:** Configure Windows Attack Surface Reduction (ASR) rules to block executable content from email clients and to block Office applications from creating child processes."," researchers uncover 'LucidRook,' a new sophisticated malware using Lua & Rust.  Malware specifically targets Taiwanese NGOs & universities, evading analysis by checking for Traditional Chinese language settings. 🇹🇼 #Malware #ThreatIntel #Taiwan","Cisco Talos discovers 'LucidRook,' a new Lua-based malware stager used by threat actor UAT-10362 in targeted spear-phishing attacks against Taiwanese organizations.",[13,14,15],"Malware","Threat Actor","Cyberattack","high",[18,22,25,28,30,32,35],{"name":19,"type":20,"url":21},"Cisco Talos","security_organization","https://www.talosintelligence.com/",{"name":23,"type":24},"UAT-10362","threat_actor",{"name":26,"type":27},"LucidRook","malware",{"name":29,"type":27},"LucidPawn",{"name":31,"type":27},"LucidKnight",{"name":33,"type":34},"Taiwan","other",{"name":36,"type":37},"Gmail","product",[],[40,45],{"url":41,"title":42,"date":43,"friendly_name":19,"website":44},"https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/","New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations - Cisco Talos Blog","2026-04-08","blog.talosintelligence.com",{"url":46,"title":47,"date":48,"friendly_name":49,"website":50},"https://research.checkpoint.com/2026/6th-march-threat-intelligence-report-2/","6th April – Threat Intelligence Report - Check Point Research","2026-04-06","Check Point Research","research.checkpoint.com",[],[53,57,61,65,68,71,75],{"id":54,"name":55,"tactic":56},"T1566.001","Spearphishing Attachment","Initial Access",{"id":58,"name":59,"tactic":60},"T1204.002","Malicious File","Execution",{"id":62,"name":63,"tactic":64},"T1027","Obfuscated Files or Information","Defense Evasion",{"id":66,"name":67,"tactic":64},"T1497.003","Time Based Evasion",{"id":69,"name":70,"tactic":64},"T1140","Deobfuscate/Decode Files or Information",{"id":72,"name":73,"tactic":74},"T1105","Ingress Tool Transfer","Command and Control",{"id":76,"name":77,"tactic":78},"T1071.003","Mail Protocols","Exfiltration",[80,85,94,107],{"id":81,"name":82,"description":83,"domain":84},"M1017","User Training","Train users to identify and report spear-phishing attempts, particularly those with unexpected attachments.","enterprise",{"id":86,"name":87,"d3fend_techniques":88,"description":93,"domain":84},"M1021","Restrict Web-Based Content",[89],{"id":90,"name":91,"url":92},"D3-FA","File Analysis","https://d3fend.mitre.org/technique/d3f:FileAnalysis","Use email security gateways to analyze and block malicious attachments before they reach the user.",{"id":95,"name":96,"d3fend_techniques":97,"description":106,"domain":84},"M1038","Execution Prevention",[98,102],{"id":99,"name":100,"url":101},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":103,"name":104,"url":105},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting","Implement application control to prevent the execution of unauthorized DLLs and executables.",{"id":108,"name":109,"d3fend_techniques":110,"description":123,"domain":84},"M1049","Antivirus/Antimalware",[111,115,119],{"id":112,"name":113,"url":114},"D3-FCR","File Content Rules","https://d3fend.mitre.org/technique/d3f:FileContentRules",{"id":116,"name":117,"url":118},"D3-FH","File Hashing","https://d3fend.mitre.org/technique/d3f:FileHashing",{"id":120,"name":121,"url":122},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","Deploy and maintain endpoint security solutions to detect and block known malware components.",[125,131,133],{"technique_id":126,"technique_name":127,"url":128,"recommendation":129,"mitre_mitigation_id":130},"D3-DA","Dynamic Analysis","https://d3fend.mitre.org/technique/d3f:DynamicAnalysis","Given LucidRook's use of environmental checks (specifically, the Traditional Chinese language pack), standard sandbox analysis may fail to reveal the malware's true behavior. Security teams must configure their dynamic analysis environments to mimic potential targets in Taiwan. This involves setting the system locale, language, and timezone to 'zh-TW'. Running the suspicious LNK or EXE files in this configured environment is crucial to trigger the second-stage payload download and execution. The analysis should focus on capturing network indicators (C2 domains/IPs), file system artifacts (dropped Lua scripts), and process activity (execution of the Lua interpreter). This tailored analysis is the most effective way to overcome the actor's primary evasion technique and generate actionable intelligence.","M1048",{"technique_id":99,"technique_name":100,"url":101,"recommendation":132,"mitre_mitigation_id":95},"The LucidRook campaign relies on dropping and executing untrusted DLLs and executables. Implementing an application allowlisting policy, such as Windows Defender Application Control (WDAC), can effectively block this activity. The policy should be configured to only allow the execution of digitally signed, trusted software. Since LucidRook and its components are unsigned, they would be prevented from running. This is a powerful preventative control that moves away from trying to detect 'bad' and instead only permits 'known good'. While initial deployment can be complex, focusing on high-risk user groups or critical servers can provide significant security uplift and would directly disrupt this malware's infection chain at the execution stage.",{"technique_id":120,"technique_name":121,"url":122,"recommendation":134,"mitre_mitigation_id":108},"EDR tools should be configured to perform deep process analysis and look for anomalous execution chains. For this specific threat, a key detection opportunity is monitoring for `explorer.exe` (if a user clicks a malicious LNK file) or an email client process (`outlook.exe`) spawning a `rundll32.exe` process. This `rundll32.exe` process would then load the malicious `LucidRook.dll`. Further analysis should look for this process making network connections to unknown FTP servers or OAST service domains. Another heuristic is to alert on any process that calls the `GetUserDefaultLangID` API and then promptly terminates without performing other meaningful actions, as this could indicate a failed environmental check by the malware. Correlating these process-level behaviors provides a high-confidence indicator of a LucidRook infection attempt.",[],[137,143,148,153],{"type":138,"value":139,"description":140,"context":141,"confidence":142},"command_line_pattern","rundll32.exe *.dll,*","LucidRook is a DLL and is likely executed via rundll32.exe. Monitoring for suspicious invocations is key.","Windows Event ID 4688 (Process Creation) logs.","medium",{"type":144,"value":145,"description":146,"context":147,"confidence":16},"api_endpoint","GetUserDefaultLangID","The malware calls this Windows API function to check the system's language before proceeding.","EDR telemetry or API monitoring tools.",{"type":149,"value":150,"description":151,"context":152,"confidence":16},"string_pattern","zh-TW","The malware specifically checks for the Traditional Chinese language code.","Memory analysis of suspicious processes or sandbox reports.",{"type":154,"value":155,"description":156,"context":157,"confidence":142},"file_path","%TEMP%","Stagers often drop or download subsequent payloads into temporary user directories.","File integrity monitoring or EDR file creation events.",[159,160,161,162,163],"Lua","Rust","Spear-phishing","Stager","Espionage","2026-04-08T15:00:00.000Z","NewsArticle",{"geographic_scope":167,"countries_affected":168,"industries_affected":169,"other_affected":172},"national",[33],[170,171],"Other","Education",[173],"Non-governmental organizations (NGOs)",4,1775683835159]