GoKawiilA new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan.
Cisco Talos researchers attribute the malware to a threat group tracked internally as UAT-10362, who they describe as a capable adversary "with mature operational tradecraft."
LucidRook was observed in attacks in October 2025 that relied on phishing emails carrying password-protected archives.
The researchers identified two infection chains, one using an LNK shortcut file that ultimately delivered a malware dropper called LucidPawn, and an EXE-based chain that leveraged a fake antivirus executable impersonating Trend Micro Worry-Free Business Security Services.
The LNK-based attack employs decoy documents, such as government letters crafted to appear as if they originate from the Taiwanese government, to divert the user's attention.
LNK-based attack chain
Source: Cisco Talos
Cisco Talos observed that LucidPawn decrypts and deploys a legitimate executable renamed to mimic Microsoft Edge, along with a malicious DLL (DismCore.dll) for sideloading LucidRook.
LucidRook is notable for its modular design and built-in Lua execution environment, which allows it to retrieve and execute second-stage payloads as Lua bytecode.
This approach enables operators to update functionality without modifying the core malware, while also limiting forensic visibility. This stealth is further increased by extensive obfuscation of the code.
... continue reading