A sophisticated new threat has emerged from the cybersecurity research community’s radar. LucidRook malware is the name researchers have given to a newly identified tool used in highly targeted spear-phishing attacks against non-governmental organizations and universities in Taiwan. The attacks, first observed in October 2025, were not the work of opportunistic criminals. They bear the hallmarks of a disciplined, well-resourced threat actor operating with clear intent.
Cisco Talos linked the campaign to a cluster it tracks as UAT-10362, describing the group as a capable adversary with mature operational tradecraft. The malware’s design, delivery methods, and evasion techniques all point to a group that invested serious engineering effort into staying hidden and staying flexible.
How the Attack Begins: Spear-Phishing with a Twist
The infection starts with a spear-phishing email. Victims receive a message containing a shortened URL that leads to a password-protected compressed archive. The decryption password is included in the email body, which makes the whole thing look like a routine file-sharing exchange. Nothing about it screams malicious at first glance.
Inside the archive sits either a malicious Windows Shortcut (LNK) file or a fake executable disguised as a Trend Micro antivirus program. Both paths lead to the same outcome: LucidRook malware executing silently in the background.
To make the lure more convincing, the archive also contains decoy documents. One example is an official letter from the Taiwanese government directing universities to obtain approval before staff travel to China. The document is real. Attackers simply repurposed it to hold the victim’s attention while the infection ran its course. All materials, including the phishing email, were written in Traditional Chinese, confirming the campaign was deliberately built for a Taiwanese audience.
Two Infection Chains, One Outcome
Cisco Talos identified two distinct paths attackers used to deliver LucidRook malware. Both are multi-stage and engineered to blend in with normal Windows activity.
The LNK-based chain begins when a victim clicks the shortcut file. This triggers a PowerShell script that uses a legitimate Windows testing framework to launch hidden binaries. From there, a dropper called LucidPawn takes over. It abuses a real Windows binary tied to the Deployment Image Servicing and Management (DISM) framework, renaming it to mimic Microsoft Edge. LucidPawn then uses DLL search order hijacking to sideload LucidRook. Before any of this happens, LucidPawn checks the system’s UI language. If the system is not set to Traditional Chinese, execution stops. This geofencing technique means the malware simply will not run outside its intended target region.
The EXE-based chain starts with what looks like a Trend Micro cleanup tool. The victim launches it, sees a message saying the cleanup completed, and thinks nothing happened. Behind the scenes, the fake executable drops and executes LucidRook through the same DLL sideloading technique.
Both chains abuse an Out-of-band Application Security Testing (OAST) service alongside compromised FTP servers for command-and-control communication. This lets attackers receive confirmation of a successful infection without exposing their own infrastructure.
What LucidRook Does Once Inside
Once active, LucidRook collects basic but valuable system information: usernames, computer names, installed applications, and running processes. It encrypts all of that data using RSA, packages it into password-protected archives, and ships it out to attacker-controlled servers over FTP.
What makes LucidRook malware technically distinctive is its use of the Lua programming language. The malware embeds a full Lua interpreter inside a Windows DLL. Rather than hardcoding its behavior, it downloads encrypted Lua bytecode from the command-and-control server and executes it locally. This means attackers can change what the malware does after it lands on a system, without pushing a new loader. They update the Lua payload, and the behavior changes. It also means defenders who capture the loader without the payload get very little useful information.
Heavy obfuscation compounds the problem. The binary uses multi-stage XOR encoding and string obfuscation across its components, making it difficult to analyze. Cisco Talos was unable to recover a decryptable second-stage payload during their investigation, so the full scope of what happens post-infection remains unknown.
A Tiered Toolkit for Targeted Intrusions
LucidRook does not operate alone. Researchers also found a related tool called LucidKnight, a 64-bit Windows DLL that exfiltrates system data via Gmail to temporary email addresses. The presence of LucidKnight suggests attackers may profile targets first, using the lighter reconnaissance tool before committing to the more complex LucidRook stager. It points to a group that makes deliberate decisions about resource deployment based on what each target is worth.
Cisco Talos assesses with medium confidence that this campaign reflects a targeted intrusion rather than broad, opportunistic spreading. The engineering investment, the victim-specific decoy documents, the language-based geofencing, and the modular payload design all support that conclusion.
Final Thoughts
LucidRook malware is a clear example of how sophisticated threat actors separate themselves from the noise. The group behind these attacks did not spray phishing emails at thousands of inboxes. They chose specific targets, built convincing lures, and deployed a technically advanced toolchain designed to operate quietly and adapt on the fly.
For NGOs and academic institutions, the lesson is direct. Targeted attacks can look entirely routine right up until they are not. Password-protected archives from unexpected senders deserve scrutiny, especially when the password arrives in the same email. Monitoring for unusual DLL activity, restricting execution from user-writable directories like %APPDATA%, and applying strict email filtering are practical starting points. The attackers behind UAT-10362 clearly put their work in. Defenders need to match that effort.
