LucidRook: Sophisticated Spear-Phishing Campaign Targets Taiwan with Custom Malware Stack
Ddos 
LNK-based infection chain | Image: Cisco Talos
Cisco Talos has uncovered a coordinated cluster of malicious activity targeting non-governmental organizations (NGOs) and universities in Taiwan. Attributed to a capable threat actor tracked as UAT-10362, the campaign utilizes a tiered toolkit of newly identified malware families designed for stealth, reconnaissance, and persistence.
The operation stands out for its mature tradecraft, employing region-specific anti-analysis checks and a sophisticated multi-language modular design.
The campaign’s primary objective is the deployment of LucidRook, described by Talos as a “sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL)”. This unique architecture allows the malware to download and execute staged Lua bytecode payloads with a high degree of stealth.
Before the stager is even deployed, the actor often utilizes a companion reconnaissance tool dubbed LucidKnight. This tool “exfiltrates system information via Gmail,” allowing the attackers to “profile targets before escalating to full stager deployment”.
A key component of the infection chain is the dropper known as LucidPawn. To ensure it only impacts the intended targets, the dropper “uses region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan”.
Talos identified two distinct infection chains for delivering these payloads:
- Malicious LNK and EXE Files: These files were “disguised as antivirus software” to trick users into initiating the compromise.
- Infrastructure Abuse: The actor “abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers” to host their command-and-control (C2) operations.
UAT-10362 demonstrates a high level of operational maturity. The malware suite features “layered anti-analysis features” and “stealth-focused payload handling,” indicating an actor that prioritizes remaining undetected within high-value environments.
The use of public infrastructure—such as Gmail for exfiltration—combined with compromised legitimate servers helps the malicious traffic blend in with normal network activity.
The discovery of the LucidRook family highlights the ongoing threat of highly targeted spear-phishing campaigns against specific regional interests. Because these attacks often bypass traditional file-based detection through the use of embedded interpreters and custom-compiled libraries, organizations are urged to enhance their behavioral monitoring.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
