Fake Security Tool Spreads LucidRook in Taiwan Cyberattacks

Hackers are using fake security tools and cleverly crafted phishing emails to secretly deploy a new malware family, LucidRook, against organizations in Taiwan.

The campaign, tracked as UAT-10362, focuses on Taiwanese NGOs and likely universities and shows a high level of planning, stealth, and technical sophistication.

The operation relies on spear-phishing emails sent via what appears to be legitimate mail infrastructure, increasing the chance that targets will trust and open them.

One October 2025 email to a Taiwanese NGO used a shortened URL that downloaded a password-protected, encrypted RAR archive, with the password conveniently included in the body of the message.

From these archives Talos identified two multi-stage infection chains, both masquerading as security or cleanup tools but ultimately deploying LucidRook.

LNK-based infection chain (Source : Cisco Talos).
LNK-based infection chain (Source : Cisco Talos).

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs).

One lure document is a genuine-looking Taiwanese government letter reminding universities that staff must obtain prior approval and log trips to China, helping the attackers blend into local administrative workflows.

This realistic decoy is opened after execution to distract victims while the malware installs in the background.

LNK chain: LucidPawn dropper

In the first chain, the archive contains a malicious LNK file made to look like a PDF and a hidden directory tree with four nested folders to frustrate quick analysis.

The deepest folder stores the LucidPawn dropper DLL (DismCore.dll), a legitimate DISM-related executable (install.exe), and a decoy document.

PowerShell process execution command (Source : Cisco Talos).
PowerShell process execution command (Source : Cisco Talos).

When the victim clicks the LNK, it runs a PowerShell Pester build script from the Windows modules directory to launch binaries from the hidden path, abusing a documented LOLBAS technique to look like normal system activity.

The DISM binary is then abused to sideload LucidPawn via DLL search order hijacking. LucidPawn decrypts and writes a renamed DISM executable (msedge.exe) and the LucidRook stager DLL (DismCore.dll) into the WindowsApps path, sets persistence with a Startup LNK pointing to msedge.exe, and then launches the DISM executable to load LucidRook.

At the same time, it copies decoy documents, deletes the original lure LNK, and opens the decoy in Microsoft Edge to maintain the illusion of a harmless file open.

The second chain uses a single .NET executable delivered inside a password-protected 7‑Zip archive named “Cleanup(密碼:33665512).7z,” clearly tailored for Traditional Chinese-speaking users.

EXE-based infection chain (Source : Cisco Talos).
EXE-based infection chain (Source : Cisco Talos).

The extracted Cleanup.exe pretends to be Trend Micro Worry‑Free Business Security, complete with forged application name and icon and even a fake future compilation timestamp.

On execution it decodes three embedded Base64 blobs to disk in C:\ProgramData: a legitimate DISM executable, the LucidRook stager DLL, and a Startup LNK for persistence, before showing a “cleanup complete” message box as a decoy.

LucidRook in Taiwan Cyberattacks

LucidRook itself is a 64‑bit DLL that embeds a Lua 5.4.8 interpreter plus Rust-compiled libraries, turning the DLL into a flexible execution platform for staged Lua bytecode payloads.

The Lua runtime is also wrapped with additional controls. Notably, the malware implements a non-standard “safe mode” that disables package.loadlib.

Code in the interpreter to load the libraries (Source : Cisco Talos).
Code in the interpreter to load the libraries (Source : Cisco Talos).

Once running, it gathers detailed host data, encrypts it using RSA and a password-protected ZIP, and exfiltrates it to command-and-control infrastructure over FTP.

The same FTP servers are then used to deliver an encrypted archive (archive1.zip) containing Lua bytecode, which LucidRook decrypts and executes after verifying it begins with the Lua bytecode magic header.

The code base is heavily hardened: string obfuscation hides file types and C2 details, and a two-stage deobfuscation process with runtime key reconstruction makes automated unpacking difficult.

By keeping the Lua payloads short-lived on compromised or “public” FTP servers some belonging to Taiwanese printing companies that openly publish credentials for customer uploads the operators increase operational security and reduce forensic visibility.

The LucidPawn dropper also reaches out to a Chinese out-of-band application security testing (OAST) service via a crafted DNS query, giving operators a simple way to confirm network reachability and exploit success without maintaining their own beaconing infrastructure.

At the same time, it checks the system UI language and will only fully execute on Traditional Chinese locales associated with Taiwan (and, by masking, also Hong Kong), causing it to exit silently in common English-language sandboxes and analysis environments.

Hunting for related samples led Talos to LucidKnight, a companion reconnaissance DLL delivered by a LucidPawn variant that drops only this tool.

LucidKnight collects system inventory, encrypts it with RSA, packages it into a password-protected ZIP, and exfiltrates it via Gmail using the Rust lettre crate, sending messages with a Chinese “Sports Information Platform” subject line to a disposable mailbox.

Its use alongside LucidRook indicates UAT‑10362 is operating a tiered toolkit, using LucidKnight for lightweight profiling before deciding whether to deploy the heavier LucidRook stager to high‑value targets.

Together, the Lua-based modular design, living‑off‑the‑land execution, fake security branding, geo-targeted anti-analysis and layered encryption highlight a mature, espionage-focused actor that is carefully tailoring operations to Taiwanese civil society and academic networks, rather than spraying commodity malware at scale.

u v xkqImOWg

Related Articles

Back to top button