LUCIDROOK is a Lua-based malware used in targeted phishing attacks against NGOs and universities in Taiwan, linked to a skilled group tracked as UAT-10362. According to Cisco Talos, spear-phishing campaigns in October 2025 delivered LucidRook via password-protected email attachments, with metadata suggesting use of authorised mail infrastructure and shortened URLs to download a password-protected and encrypted archive.
Researchers describe two infection chains: one LNK-based and one EXE-based, each delivering the LucidRook stager and using trusted Windows tools and DLL sideloading to evade detection. The Lua-based stager is a 64-bit Windows DLL that embeds a Lua 5.4.8 interpreter and retrieves a staged payload from its C2 over FTP, then loads and executes Lua bytecode on the host.
LucidRook also employs persistence techniques such as a Startup LNK, and the campaign features modular components including LucidPawn and LucidKnight for drop and reconnaissance tasks. The report notes a targeted intrusion profile rather than broad malware distribution, emphasising attacker flexibility, stealth, and victim-specific tasking.