{
	"id": "b005386c-d3ef-4cc5-9401-7a0589d8beb0",
	"created_at": "2026-04-17T02:19:59.485754Z",
	"updated_at": "2026-04-18T02:21:52.629752Z",
	"deleted_at": null,
	"sha1_hash": "17608bf096dbd05dcf7e1a974ed004bec966ad13",
	"title": "New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1505875,
	"plain_text": "New Lua-based malware “LucidRook” observed in targeted\r\nattacks against Taiwanese organizations\r\nBy Ashley Shen\r\nPublished: 2026-04-08 · Archived: 2026-04-17 02:00:54 UTC\r\nWednesday, April 8, 2026 06:00\r\nCisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns\r\nagainst Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly\r\nidentified malware family, “LucidRook.” \r\nLucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within\r\na dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The\r\ndropper “LucidPawn” uses region-specific anti-analysis checks and executes only in Traditional Chinese\r\nlanguage environments associated with Taiwan. \r\nTalos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and\r\nEXE files disguised as antivirus software. In both cases, the actor abused an Out-of-band Application\r\nSecurity Testing (OAST) service and compromised FTP servers for command-and-control (C2)\r\ninfrastructure. \r\nThrough hunting for LucidRook, we discovered “LucidKnight,” a companion reconnaissance tool that\r\nexfiltrates system information via Gmail. Its presence alongside LucidRook suggests the actor operates a\r\ntiered toolkit, potentially using LucidKnight to profile targets before escalating to full stager deployment. \r\nThe multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the\r\nmalware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat\r\nactor with mature operational tradecraft.\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 1 of 16\n\nSpear-phishing campaigns against Taiwanese NGOs and universities \r\nCisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that\r\ntargeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via\r\nauthorized mail infrastructure, which implies potential misuse of legitimate sending capabilities.\r\nThe email contained a shortened URL that leads to the download of a password protected and encrypted RAR\r\narchive. The decryption password was included in the email body. Based on this email and the collected samples,\r\nTalos observed two distinct infection chains originating from the delivered archives. \r\nDecoy files \r\nIn the infection chain, the threat actor deployed a dropper that opens the decoy documents included in the bundle.\r\nOne example decoy file is a letter issued by the Taiwanese government to universities in Taiwan. This document is\r\na formal directive reminding national universities that teachers with administrative roles are legally required to\r\nobtain prior approval and file attendance records before traveling to China. An official version of this document\r\ncan be found on the Taiwanese government website.\r\nFigure 1. Decoy file.\r\nTwo infection chains \r\nTalos identified two infection chains used to deploy LucidRook. Both were multi-stage and began with either an\r\nLNK or an EXE launcher. The LNK infection chain uses an initial dropper Talos tracks as LucidPawn. \r\nLNK-based infection chain\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 2 of 16\n\nFigure 2. LNK-based infection chain.\r\nThe LNK-based infection chain was observed in both the sample targeting Taiwanese NGOs (which\r\nwere distributed via spear-phishing emails) and the sample we suspect targeted Taiwanese universities. Both\r\nsamples were delivered as an archive, containing an LNK file with a document file with substituted PDF file icon,\r\nas well as a hidden directory in the folder, as shown in Figure 3.\r\nFigure 3. LNK with substituted icon in the archive.\r\nThe hidden directory contains four layers of nested folders designed to evade analysis. The fourth-level\r\ndirectory contains the LucidPawn dropper sample ( DismCore.dll ), a legitimate EXE file ( install.exe ), and a\r\ndecoy file. An example folder structure is shown in Figure 4.\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 3 of 16\n\nFigure 4. File structure of the malicious archive.\r\nWhen the user clicks the LNK file, it executes the PowerShell testing framework script  C:\\Program\r\nFiles\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Build.bat , passing the path to binaries located in the hidden\r\ndirectory in order to launch the embedded malware. This is a known technique that leverages living-off-the-land binaries and scripts (LOLBAS) to evade detection.\r\nFigure 5. LNK target metadata.\r\nThe PowerShell process executes the following command:\r\nFigure 6. PowerShell process execution command.\r\nThe  index.exe  file is a legitimate Windows binary associated with the Deployment Image Servicing and\r\nManagement (DISM) framework. It is abused as a loader to sideload LucidPawn via DLL search order hijacking.\r\nThe LucidPawn dropper embeds two AES-encrypted binaries: a legitimate DISM executable and\r\nthe LucidRook stager. Upon execution, both binaries are decrypted and written\r\nto  %APPDATA%\\Local\\Microsoft\\WindowsApps\\ , with the DISM executable renamed to  msedge.exe  to\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 4 of 16\n\nimpersonate the Microsoft Edge browser and the LucidRook stager written as  DismCore.dll . Persistence\r\nis established via a LNK file in the Startup folder that launches  msedge.exe . After dropping the binaries,\r\nLucidPawn launches the DISM executable to sideload the LucidRook stager.  \r\nThe LucidPawn dropper also handles decoy documents by locating files with specific document extensions (.pdf,\r\n.docx, .doc, .xlsx) in the working directory, copying them to the first layer directory, deleting the original lure\r\nLNK file, and opening the decoy using Microsoft Edge to distract the victim.\r\nEXE-based infection chain  \r\nThe second infection chain leverages only a malicious EXE written in the .NET framework without the\r\nLucidPawn dropper.\r\nFigure 7. EXE-based infection chain.\r\nTalos observed the EXE-based infection chain in samples uploaded to public malware repositories in December\r\n2025. The samples were distributed as password protected 7-Zip archives named “Cleanup(密碼：\r\n33665512).7z”. Based on the Traditional Chinese language used in the archive filename, the language shown in\r\nthe malicious dropper, and the geographic context of the sample upload locations, we assess with moderate to\r\nhigh confidence that the campaign was intended to target Taiwanese entities.\r\nThe 7-Zip archive contains a single executable file named  Cleanup.exe . The extracted binary masquerades as\r\nTrend Micro™ Worry-Free™ Business Security Services, using a forged application name and icon to\r\nimpersonate a legitimate security product. In addition, the binary contains a compilation timestamp that is clearly\r\nfalsified (2065-01-12 14:12:28 UTC).\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 5 of 16\n\nFigure 8. The EXE dropper forged as Trend Micro product.\r\nThe executable is a simple dropper written with the .NET framework. It embeds three binary files as Base64-\r\nencoded data within its code and, upon execution, decodes and drops these files into\r\nthe  C:\\ProgramData  directory. The dropped files include a legitimate DISM executable, the LucidRook stager,\r\nand a LNK file placed in the Startup folder to establish persistence.\r\nFigure 9. Decompiled code of the EXE dropper.\r\nAfter execution, the program displays a decoy message box claiming that the cleanup process has completed.\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 6 of 16\n\nFigure 10. Decoy message box from the dropper.\r\nLucidRook Lua-based stager \r\nLucidRook is a sophisticated 64-bit Windows DLL stager consisting of a Lua interpreter, embedded Rust-compiled libraries, and Lua bytecode payload. The DLL embeds a Lua 5.4.8 interpreter and retrieves a staged\r\npayload (in our sample named  archive1.zip ) from its C2 over FTP. After unpacking and validating the\r\ndownloaded stage, the implant loads and executes the resulting Lua bytecode on the compromised host.\r\nEmbedding the Lua interpreter effectively turns the native DLL into a stable execution platform while allowing\r\nthe threat actor to update or tailor behavior for each target or campaigns by updating the Lua bytecode payload\r\nwith a lighter and more flexible development process. This approach also improves operational security, since the\r\nLua stage can be hosted only briefly and removed from C2 after delivery, and it can hinder post-incident\r\nreconstruction when defenders recover only the loader without the externally delivered Lua payload.  \r\nDue to the embedded Lua interpreter and stripped Rust-compiled components, the DLL is complex to reverse\r\nengineer. The binary is approximately 1.6MB in size and contains over 3,800 functions, reflecting the amount of\r\nruntime and library code bundled into a single module. Execution is initiated via the  DllGetClassObject  export;\r\nhowever, the sample implements no COM functionality and uses the export solely as an entry point.\r\nUpon execution, the malware’s core workflow is twofold. First, it performs host reconnaissance, collecting system\r\ninformation that is encrypted, packaged, and exfiltrated to the C2 infrastructure. It then retrieves an encrypted,\r\nstaged Lua bytecode payload from the C2 server, which is subsequently decrypted and executed on the\r\ncompromised host.\r\nLua interpreter embedding implementation \r\nLucidRook embeds a Lua 5.4.8 interpreter directly inside the DLL and uses it to execute a downloaded Lua\r\nbytecode stage. Before handing the stage to the VM, the loader verifies that the decrypted blob begins with the\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 7 of 16\n\nstandard Lua bytecode magic ( \\x1bLua ), indicating the payload is a compiled Lua chunk rather than plaintext\r\nscript.\r\nFigure 11. Code to check the Lua bytecode prefix in the downloaded blob.\r\nThe Lua runtime is also wrapped with additional controls. Notably, the malware implements a non-standard “safe\r\nmode” that disables  package.loadlib  (as shown by the unique error string “package.loadlibis disabled in safe\r\nmode”), which prevents Lua payloads from loading arbitrary external DLL-based modules via the standard\r\nrequire/loader pathway. Additionally, in the library initialization flow observed, the malware opens common\r\nstandard libraries (e.g., io, os, string, math, package) but does not open the debug library, which would normally\r\nprovide powerful introspection primitives; this omission is consistent with an anti-analysis hardening choice.\r\nFigure 12. Code in the interpreter to load the libraries.\r\nString obfuscation scheme \r\nThe LucidRook samples employ a sophisticated string obfuscation scheme. The obfuscation was applied to almost\r\nall the embedded strings including file extensions, internal identifiers, and C2 addresses. This transformation\r\nincreases the difficulty of analysis and detection.\r\nThe deobfuscation follows a structured two-stage runtime process: \r\n1. Address calculation: Rather than using direct offsets, the malware calculates the memory address of an\r\nencrypted string through a unique series of arithmetic operations for each string. This design prevents\r\ncross-referencing encrypted data blocks to their use-sites for reverse engineering.  \r\n2. Runtime key reconstruction and XOR decryption: Each 4-byte chunk is decrypted using XOR with a\r\nkey that is not hardcoded directly. Instead, the key is reconstructed at runtime by combining a constant\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 8 of 16\n\nseed value (ending in  0x00 ) and a single-byte mask read from a parallel lookup table:  Plaintext\r\n=Ciphertext ^(Seed|Mask)\r\nThe use of a parallel lookup table for masks significantly complicates the creation of automated \"unpacking\"\r\nscripts, as the relationship between the encrypted string and its corresponding mask is obscured by the flattened\r\ncontrol flow.\r\nFigure 13. Decompiled code for file extension string deobfuscation.\r\nFigure 14. Address computation for string “docx”. \r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 9 of 16\n\nHost reconnaissance \r\nThe malware collects several system information including user account name, computer name, driver\r\ninformation, user profile directory, installed applications, running process, and so on. The collected information is\r\nstored into three files (named  1.bin ,  2.bin ,  3.bin ) with two layers of encryptions: RSA and a password-encrypted ZIP archive. The BIN files are encrypted with an embedded RSA public key (DER\r\nhash  ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175 ) and then compressed into a ZIP\r\nfile encrypted with password  !,OO5*+ZEYORE%\u0026.K1PQHxiODU^RA046 . With these encryptions in place, the\r\nexfiltrated data can only be decrypted by the threat actor. The decrypted RSA public key used to encrypt\r\nexfiltrated data is:\r\n-----BEGIN RSA PUBLIC KEY-----\r\nMIIBCgKCAQEA3YeM0FbZO8QB3/ctZd2+oS8weSUwmgp33c5lVJ8InJx5yJJnXF+8\r\nqLL+nzwcItVQyAQbZBymN9ueIgkNRBQuRJgZOxLHG2cbNIWXMImKb5zkkyIUfCz1\r\nhLprvBu4i2IIeWTFyTLfIpwZ/rUn+lARRmIeWTmJezOaSh5QvVaF6Oqk5qoTXk9A\r\nMivxKnfFiMhlBh3/V6S4+gTzqy7IwgSuPv8IL6n5LF+N8DmIvAVCck1e2KIYMu54\r\nUT7ef16N60LVksADJsnk+E5CSOeD4FzSTjS9G9c3sZFP/7r7xAbr5CbKvaBvJ+49\r\n7OlzJjaq1H+M7aOAPKaf/hyewEHIr+W1EQIDAQAB\r\n-----END RSA PUBLIC KEY-----\r\nThe encrypted data is archived into a file named  archive4.zip  and uploaded to the C2 FTP server using\r\nauthenticated credentials obfuscated and embedded in the stager. \r\nC2 communication \r\nThe LucidRook stager communicates with the abused/compromised FTP servers to not only upload the collected\r\nsystem information but also to download and execute Lua bytecode payload to achieve remote code execution. \r\nFTP servers with publicly exposed credentials \r\nLucidRook uses plaintext FTP for both staging and exfiltration. In the observed captures, the implant authenticates\r\nwith embedded credentials, switches to binary mode (TYPE I), enters passive mode (PASV), and uploads the\r\nexfiltrated information in an archive named  archive4.zip  via STOR before closing the session. It\r\nthen establishes a second FTP session and attempts to retrieve  archive1.zip  (payload) via RETR.\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 10 of 16\n\nFigure 15. Communication with C2 server. \r\nThe LucidRook samples connect to C2 infrastructure that appears to abuse FTP servers with exposed credentials\r\nto retrieve staged payloads. Talos identified two such C2 servers, both located in Taiwan and operated by printing\r\ncompanies. Initially, it was unclear why the threat actor selected this infrastructure; however, further investigation\r\nrevealed that both companies publicly listed FTP credentials on their official websites as part of a “file uploading\r\nservice\". We observed that this practice is common among local printing companies and effectively creates a pool\r\nof publicly accessible, low‑cost infrastructure that can be repurposed by threat actors as low-cost C2 staging\r\nservers.\r\nStealthy payload protections \r\nBesides what we previously mentioned about the encryption for the exfiltrated data, the threat actor also employed\r\nstealthy protection for the downloaded payload. The LucidRook sample Talos obtained\r\n( edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 ) uses\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 11 of 16\n\nthe password  ?.aX$p8dpiP$+4a$x?=0LC=M\u003e^\u003ef6N]a  to decrypt the archive when it’s protected and requires that\r\nan  index.bin  file be found within the ZIP archive. After decryption, it uses a different RSA private key (DER\r\nhash  7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33 ) embedded and encrypted inside\r\nthe malware to decrypt the payload. The corresponding public key (DER\r\nhash  a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a ) for this private key is:\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQ9deG1+FiOgxT2eX78n\r\n3Ni/PmrV/V6iuf+bc+ii+9wD6Pyc7QyicaZODr2YlKifwJabJuDsIcANRIQGBLf2\r\n8j0yG3x25rP4XTnavTyPB6s+fJgNebmB9Hhgx3AY25ufJvNAelnmXnPn/xp6tZ/V\r\nkup72tiwKWeBVJOZYW3qYno4n5hffdNqTFIgUZDDLhqa+nT1gD6LZ6W/BidIM70O\r\ngn2h8ppc8aKc893FkfvNYwhgubiDFv9rgvSVvxt0uTVERtBsCyAScD1MMvswEyK6\r\nLrgnyTz7KwOv5wyPfE3BPs8lpMQIyi/jcIIroyk9uLarfV/XIbgTOqEYf5/9bDSs\r\niQIDAQAB\r\n-----END PUBLIC KEY-----\r\nDuring investigation, Talos obtained a payload from a private source which matched the  index.bin  file\r\nstructure. However, the password from the LucidRook sample we got was not able to decrypt the archive. We also\r\nobtained another version of the payload from the FTP C2 server, but this payload includes four files that does not\r\nmatch the version of LucidRook sample we analyzed as shown in Figure 16.\r\nFigure 16. The files inside the downloaded payload file.\r\nBased on this information, we suspect that the threat actor is generating different payloads using different sets of\r\npasswords for different targets, even though they share the same C2 server. The files inside the payload also\r\nsuggest it potentially leverages different modules for different capabilities for the stager. \r\nLucidPawn dropper \r\nThe LucidPawn dropper shares some similarity with LucidRook, including the same COM DLL masquerade\r\ntechnique, obfuscation scheme, and Rust-compiled code. \r\nLeveraging an OAST service \r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 12 of 16\n\nUpon execution, the LucidPawn dropper sends a DNS request to a domain “D.2fcc7078.digimg[.]store”. The\r\ndomain “digimg[.]store” redirects to “dnslog[.]ink”, a public Chinese Out-of-band Application Security Testing\r\n(OAST) service. It is widely used by security researchers, penetration testers, and threat actors to verify network\r\nconnectivity and vulnerability exploitation. By using this service, LucidRookoperators receive confirmation once\r\nthe exploitation succeeds without setting up their own infrastructure. It is worth noting that the same service\r\ndomain has been leveraged in other targeted campaigns; however, because the service is publicly accessible and\r\ncan be used by any threat actor, Talos avoids making attribution based solely on this linkage.\r\nGeo-targeting anti-analysis \r\nLucidPawn implements a geo-targeting anti-analysis execution gate by querying the host’s Windows UI language\r\nvia the  GetUserDefaultUILanguage()  API. Execution continues only when the system UI language matches\r\nTraditional Chinese environments associated with Taiwan.\r\nThe implementation compares a masked LANGID against 0x0404 (zh-TW). The mask and 0xF7FF clears bit\r\n0x0800, causing only 0x0404 (zh-TW) and 0x0C04 (zh-HK) to normalize to the same value and satisfy the check.\r\nAs a result, the sample exits early on most analysis sandboxes, which commonly use 0x0409 (en-US). This control\r\nreduces exposure by limiting execution to the intended victim geography and suppressing behavior in common\r\nanalyst environments.\r\nFigure 17. Code for geo-targeting anti-analysis.\r\nThe LucidKnight reconnaissance tool \r\nWhile hunting for additional LucidPawn samples, we identified a variant of LucidPawn\r\n( d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 ). This sample shares the same geo-targeting anti-analysis logic observed in other samples used to deliver LucidRook. Compared with the LucidPawn\r\nsamples associated with LucidRook delivery, however, this variant omits the callback to the out-of-band\r\ninteractive service domain and functions solely as a dropper, deploying the reconnaissance tool LucidKnight\r\n( aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1 ) after execution.\r\nLike other malware in the Lucid family, LucidKnight is a 64-bit Windows DLL that contains embedded Rust-compiled components to implement various functions. The malware also uses a string obfuscation scheme similar\r\nto those observed in LucidPawn and LucidRook to conceal its C2 configuration.\r\nUpon execution, LucidKnight collects system information including the computer name, OS version, processor\r\narchitecture, CPU usage, running processes, and installed software. The collected data are written to four TXT\r\nfiles, encrypted with an embedded RSA public key, and packaged into a password-protected ZIP archive\r\nnamed  archive.zip  using the password  xZh\u003e1\u003c{Km1YD3[V\u003ex]X\u003e=1u(Da)Y=N\u003eu . The embedded RSA public key\r\n(DER hash  852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66 ) is shown below:\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 13 of 16\n\n-----BEGIN RSA PUBLIC KEY-----\r\nMIIBCgKCAQEAuvXyx+rPGjS/bI6cvl8LIVVatwD6JU19EvJPlBWlmPqVm/se+3QS\r\n9av+X8PFgwoGXJZTEanAY4JhOMXKYSbErwrLktbEY2tFi7w3/WyPPcB6/I6zD2yU\r\nMqcoqy1Z3+4CsLz4D/LZtOst4alSGOgTDeKtrWKHCyigFvndfds4pdCy78KBRtQb\r\nkV3UUlKQZm/37tP0CPXkKwxQ1n/+DTh265gRaVrhr4+VUagNmYta1faMLsvM8O3F\r\nLu2tQiOxeSZC21z6V3kcifYiBLT0khx11JqD3jTfA41OcngZfwWYHbitDBZF7rpL\r\n26ZSitNxMAq1O6DrXzI5wdVn0fZgSXNEbwIDAQAB\r\n-----END RSA PUBLIC KEY-----\r\nUnlike LucidRook, which uploads collected system information to a compromised FTP\r\nserver, LucidKnight exfiltrates reconnaissance data via email using the embedded Rust lettre crate, which provides\r\nSMTP message creation and delivery functionality.\r\nSpecifically, the malware constructs an email with the Traditional Chinese subject “運動資訊平台” (“Sports\r\nInformation Platform”) and includes the collected data as a MIME attachment. It then resolves “smtp.gmail.com”,\r\nauthenticates to the Gmail account “fexopuboriw972@gmail.com\" with an embedded application key, and sends\r\nthe data to the temporary email address “crimsonanabel@powerscrews.com\". The following email shows an\r\nexample of the content crafted by LucidKnight:\r\nFrom: fexopuboriw972@gmail.com\r\nTo: crimsonanabel@powerscrews.com\r\nSubject: =?utf-8?b?6YGL5YuV6LOH6KiK5bmz5Y+w?=\r\nMIME-Version: 1.0\r\nDate: Tue, 17 Feb 2026 02:05:49 +0000\r\nContent-Type: multipart/mixed;\r\n boundary=\"vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd\"\r\n--vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Transfer-Encoding: base64\r\n5oKo6KqN54K65Y+w54Gj55uu5YmN5Zyo6Jed5paH5rC457qM55m85bGV55qE5pS/562W5LiK5pyJ\r\n5ZOq5Lqb5YW36auU55qE5oiQ5Yqf5qGI5L6L5oiW5YC85b6X5pS56YCy55qE5Zyw5pa577yf\r\n--vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd\r\nContent-Type: application/zip\r\nContent-Disposition: attachment; filename=\"archive.zip\"\r\nContent-Transfer-Encoding: base64\r\nUEsDBDMAAQBjALgQUVwEOkfvkhkAAHEZAAAFAAsAMS50eHQBmQcAAQBBRQMIAEF/fb/F6o3HptX3\r\n(redacted)\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 14 of 16\n\nFigure 18. Email sent by LucidKnight malware with collected data attached.\r\nThe discovery of LucidKnight suggests that the actor maintains a modular toolkit and may select components\r\nbased on the operational context of each target, rather than deploying a fixed infection chain. LucidKnight may be\r\nused independently when lightweight reconnaissance is sufficient, or as a precursor to assess targets before\r\ncommitting the more complex LucidRook stager. \r\nThe bottom line \r\nBased on the tactics, techniques, and procedures (TTPs) and the level of engineering investment observed across\r\nthese infection chains, we assess with medium confidence that this activity reflects a targeted intrusion rather than\r\nbroad, opportunistic malware distribution. Delivery via spearphishing, combined with LucidRook’s sophisticated\r\ndesign, suggests a sophisticated threat actor prioritizing flexibility, stealth, and victim-specific tasking.\r\nAlthough Talos has not yet found a decryptable Lua bytecode payload executed by LucidRook, we are publishing\r\nthese findings to make early detection possible and encourage community sharing, with the goal of\r\nuncovering additional indicators that may facilitate stronger clustering and attribution in the future.\r\nCoverage \r\nThe following ClamAV signature detects and blocks this threat:\r\nWin.Backdoor.LucidRook-10059729-0  \r\nLnk.Tool.UAT-10362-10059730-0  \r\nWin.Dropper.UAT-10362-10059731-0  \r\nWin.Tool.CobaltStrike-10059732-0 \r\nThe following SNORT® rules cover this threat:  \r\nSnort2 Rules: 66108, 66109, 66110, 66111 \r\nSnort3 Rules: 301447, 301448 \r\nIndicators of compromise (IOCs)  \r\nIOCs for this research can also be found at our GitHub repository here.\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 15 of 16\n\nd49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a (malicious 7z) \r\nadf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143 (malicious archive) \r\nb480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d (Forged EXE dropper that\r\ndrops LucidRook) \r\nc2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc (Forged EXE dropper that\r\ndrops LucidRook) \r\n6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9 (LucidPawn, DismCore.dll) \r\nbdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d (LucidPawn dropper,\r\nDismCore.dll) \r\nf279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839 (malicious LNK) \r\n166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d (malicious LNK) \r\n11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae (LucidRook stager, DismCore.dll) \r\nedb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 (LucidRook stager, DismCore.dll) \r\n0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34 (LucidRook stager, DismCore.dll) \r\nd8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 (LucidPawn dropper\r\ndropping LucidKnight) \r\naa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1 (LucidKnight, DismCore.dll) \r\nfd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056 (archive1.zip download from C2)\r\n1.34.253[.]131 (abused FTP server) \r\n59.124.71[.]242 (abused FTP server) \r\nD.2fcc7078.digimg[.]store (DNS beaconing domain) \r\nfexopuboriw972@gmail.com \r\ncrimsonanabel@powerscrews.com \r\nSource: https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nhttps://blog.talosintelligence.com/new-lua-based-malware-lucidrook/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/"
	],
	"report_names": [
		"new-lua-based-malware-lucidrook"
	],
	"threat_actors": [
		{
			"id": "83156a75-2a0c-4622-8ca7-859b2fb6e428",
			"created_at": "2026-04-17T02:00:03.804789Z",
			"updated_at": "2026-04-18T02:00:04.272257Z",
			"deleted_at": null,
			"main_name": "UAT-10362",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-10362",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776392399,
	"ts_updated_at": 1776478912,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17608bf096dbd05dcf7e1a974ed004bec966ad13.pdf",
		"text": "https://archive.orkl.eu/17608bf096dbd05dcf7e1a974ed004bec966ad13.txt",
		"img": "https://archive.orkl.eu/17608bf096dbd05dcf7e1a974ed004bec966ad13.jpg"
	}
}