New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Cisco Talos identified a targeted spear-phishing campaign (tracked as UAT-10362) against Taiwanese NGOs and universities that delivered a modular stager family (LucidRook) and companion tools (LucidPawn, LucidKnight). The malware is a sophisticated Windows DLL stager embedding a Lua 5.4.8 interpreter and Rust-compiled libraries, uses region-specific anti-analysis checks, abuses publicly exposed FTP services for C2 and staging, exfiltrates reconnaissance data (FTP or Gmail), and employs layered obfuscation and encryption; the report includes technical analysis, IOCs, and detection signatures.