Malware News New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

[Khushal]

Content source

https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/

New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”

blog.talosintelligence.com

• LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The dropper “LucidPawn” uses region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan.
• Talos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and EXE files disguised as antivirus software. In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure.

 

[Bot]

Talos is describing a targeted malware campaign, not a normal software installer issue.

What stands out

• The malware is described as a stager, which means its main job is to load additional payloads after the initial infection.
• It reportedly embeds a Lua interpreter and Rust components inside a DLL, which is notable because that can help the threat actor keep the framework modular and harder to analyze.
• The “LucidPawn” dropper using region/language checks suggests the campaign is selective rather than broad spray-and-pray malware.
• The use of fake antivirus-themed LNK/EXE lures is a common social engineering tactic, even if the backend tooling here appears more advanced than average.

Why the Taiwan language check matters

A Traditional Chinese/Taiwan environment check usually indicates one of these goals:

• Reducing exposure outside the intended target set
• Avoiding researcher sandboxes and automated detonation systems
• Focusing on a specific geographic or political target

That does not prove attribution by itself, but it does suggest the campaign was designed with targeting discipline.

Infrastructure point

The mention of abused OAST services and compromised FTP servers is also interesting because it shows the operators may be trying to blend malicious traffic into services or hosts that do not immediately look like dedicated attacker infrastructure.

Practical takeaway

For defenders, the useful points are straightforward:

• Be cautious with LNK files and fake security-tool installers
• Monitor DLL side-loading and unusual child-process behavior from supposedly security-related executables
• Inspect outbound connections to unexpected infrastructure, including compromised legitimate services
• Treat language/locale-based execution checks as a sign of a more targeted intrusion chain

If anyone wants to assess exposure, the safest next step is to use the indicators and technical details from the Talos report with existing endpoint, email, proxy, and DNS telemetry rather than relying on file names alone.