LucidRook Malware - Targeting NGOs and Universities in Taiwan
Significant risk — action recommended within 24-48 hours
Basically, LucidRook is a new type of malware that tricks organizations into downloading harmful software.
LucidRook malware is targeting NGOs and universities in Taiwan through sophisticated spear-phishing campaigns. This new threat poses significant risks to sensitive data. Security experts urge organizations to enhance their defenses against such attacks.
What Happened
A new malware known as LucidRook has emerged, being used in targeted spear-phishing campaigns against non-governmental organizations (NGOs) and universities in Taiwan. Researchers from Cisco Talos attribute this malware to a threat group identified as UAT-10362, described as a skilled adversary with advanced operational techniques.
How It Works
LucidRook is a Lua-based malware that operates through spear-phishing emails containing password-protected archives. The malware was first observed in attacks in October 2025. Two primary infection chains were identified:
- LNK shortcut file: This method delivers a malware dropper called LucidPawn.
- EXE-based chain: This approach uses a fake antivirus executable that impersonates Trend Micro Worry-Free Business Security Services.
The LNK-based attack employs decoy documents, such as forged government letters, to distract users and encourage them to open malicious files.
Who's Being Targeted
The primary targets of LucidRook are NGOs and educational institutions in Taiwan. These organizations often handle sensitive data, making them attractive targets for cybercriminals.
Signs of Infection
Indicators of infection include:
- Unusual emails with attachments, particularly password-protected files.
- Presence of files named similarly to legitimate software, such as Microsoft Edge.
- Any unexpected system behavior or performance issues.
How to Protect Yourself
To safeguard against LucidRook and similar malware, consider the following steps:
- Educate employees about the risks of phishing and suspicious emails.
- Implement email filtering solutions to catch malicious attachments.
- Regularly update and patch software to close vulnerabilities that malware could exploit.
Technical Details
LucidRook features a modular design and a built-in Lua execution environment. This allows it to execute second-stage payloads as Lua bytecode, enabling threat actors to update the malware without altering the core code. Additionally, its extensive code obfuscation complicates reverse engineering efforts, making detection and mitigation more challenging.
During execution, LucidRook conducts system reconnaissance, gathering sensitive information such as user and computer names, installed applications, and running processes. This data is encrypted and exfiltrated to attacker-controlled infrastructure via FTP. A related tool named LucidKnight has also been identified, which likely assists in reconnaissance by exfiltrating data using Gmail's GMTP.
Conclusion
Cisco Talos concludes that the LucidRook attacks are part of a targeted intrusion campaign. While they have medium confidence in this attribution, the specific actions taken post-infection remain unclear due to the lack of captured decryptable Lua bytecode. Organizations should remain vigilant and take proactive measures to defend against such sophisticated threats.
🔍 How to Check If You're Affected
- 1.Monitor for unusual email attachments, especially password-protected files.
- 2.Check for unexpected applications or processes running on systems.
- 3.Implement email filtering to block known malicious senders.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: LucidRook's use of Lua for modular updates enhances its stealth, complicating detection and response efforts for targeted organizations.