LucidRook the Lua threat that is camouflaged in legitimate binaries for targeted attacks

In recent weeks security researchers have detected a speech-phishing campaign directed at non-governmental organizations and universities in Taiwan that uses malicious software written in Lua. The initial analyses, led by Cisco Talos they have baptized this threat as LucidRook and attribute it to an actor they internally call UAT-10362, who they describe as an opponent with advanced tactics and procedures.

The delivery mode observed in October 2025 is based on directed mail, which contains password-protected compressed files. When opening these attachments, the observed infection chains follow two different paths. One takes advantage of an LNK access - a direct Windows access - that serves as a decoy and ends up running a dropper called LucidPawn. In the other way, a false executable is used which is intended to be a legitimate business security software, thus offering a credible appearance to deceive the recipient. The researchers point out that in the case of access to the LNK, documents of official appearance, such as alleged government communications, were attached with the intention to distract the user while the malicious code did its work.

Once activated, LucidPawn installs a legitimate copy of a renowned system binary to look like a browser and unfolds a malicious library - registered as DismCore.dll - that takes advantage of the sideloading technique to run LucidRook. This use of legitimate executables to hide malicious components is not new, but in this case it is efficient because it combines camouflage with methods that complicate observation and forensic analysis.

What makes LucidRook particularly interesting for analysts is its modular architecture and the inclusion of a Lua embedded in the binary. Instead of containing all functions in native code, malware can download coded secondary stages as bytecode de Lua and run them in that environment. This strategy offers several advantages for attackers: it allows new capabilities to be deployed without touching the binary core, it accelerates the adaptation of malware to specific targets and reduces the static evidence that defenders often seek.

In addition to the use of Lua, the authors have applied a strong ofuscation to internal chains, file extensions, identifiers and command and control addresses, which complicates the work of those who try to invest the malicious software. According to Talos technicians, this combination of embedded and obfuscation interpreter has a double effect: on the one hand it facilitates rapid changes in behavior, and on the other it hinders the reconstruction of the incident if the affected equipment only recovers the charger and not the externally hosted payload.

In its routines, LucidRook collects system recognition data: user and equipment names, installed applications and running processes. The information taken is numbered with RSA, packed in password-protected files and, as observed, sent to infrastructure controlled by the attackers by FTP. During the analysis, researchers also identified a related tool, called LucidKnight, which seems to be dedicated to recognition work and which incorporates alternative exfiltration methods, such as the abuse of Gmail's GMTP protocol to transfer data, suggesting the existence of a flexible set of tools adapted to different operational needs.

Talos experts conclude with an average level of confidence that these incidents are part of a targeted campaign. However, they failed to capture a decipherable version of the bytecode Lua that LucidRook should get from its servers, so the exact actions that malware would have executed once the control is established still cannot be confirmed. This gap shows one of the key challenges in investigating threats that outsource its logic into ephemeral components: if the payload hosted in the attacking network is quickly removed, the subsequent visibility is seriously compromised.

For those who manage security in organizations that could be targeted by such attacks, there are clear lessons: the combination of social techniques (addressed with protected attachments), convincing lures (official documents or imitations of security software) and chargers that use legitimate binaries requires in-depth defense. Maintaining strict policies on the opening of protected compressed files, strengthening the detection of unusual behaviors in endpoints and reviewing implementation controls to limit the use of renowned sideloading and binary are measures that can reduce risk. It is also important for response teams to have the ability to capture traffic and early artifacts; if the stage Lua is housed only for a short period, each minute counts to recover evidence.

If you want to deepen the technical analysis, the Cisco Talos report is the main reference available to the public about this campaign and provides details about infection chains and malware design decisions. You can consult it directly on the Talos blog: Analysis of LucidRook by Cisco Talos. To understand the type of product that the attackers imitated in one of the chains, the information on the business solution that was supplanted is available on the supplier's website: Trend Micro Worry-Free Business Security Services. And if you're interested in why inserting an interpreter like Lua changes the rules of the game, the official documentation itself Lua explains how this light language works which, by design, makes it easier to be embedded in other programs.

In short, LucidRook is a reminder that adversaries continue to innovate in the mix of social engineering and sophisticated technical techniques. The presence of dynamic components and ephemeral stages requires the combination of technical surveillance with good human practices: prevention and early detection remain the best defenses against targeted campaigns such as this.