Hackers Use Fake Security Software to Deliver LucidRook Malware in Taiwan Attacks

A newly identified malware called LucidRook has been spotted targeting organizations across Taiwan, hiding inside what appears to be legitimate security software.

The attackers went out of their way to make it look convincingly real, forging the icon and application name of a well-known cybersecurity product to trick victims into running it.

The campaign focuses on Taiwanese non-governmental organizations and suspected universities. Attackers used spearphishing emails containing shortened URLs that led to password-protected compressed archives.

One of the decoy documents inside the archive was an official letter issued by the Taiwanese government to universities — a lure that added credibility to the attack.

The email and all decoy materials were written in Traditional Chinese, suggesting the campaign was deliberately aimed at a Taiwanese audience.

Cisco Talos researchers uncovered the activity after spotting a cluster of attacks attributed to a threat group tracked as UT.

The group was observed running spearphishing campaigns against Taiwanese NGOs and suspected universities to deliver LucidRook — a malware that stands out for its Lua-based architecture and layered design.

The discovery revealed that LucidRook is a sophisticated stager embedding a Lua interpreter alongside Rust-compiled libraries within a Windows DLL.

What separates this campaign from typical malware distribution is the level of effort put into both deception and engineering. Alongside LucidRook, researchers also identified a companion reconnaissance tool named LucidNight.

Its presence suggests the threat actor operates a tiered toolkit, likely using LucidNight to profile targets before committing to a full malware deployment.

Cisco Talos assesses with medium confidence that this activity reflects a targeted intrusion rather than opportunistic malware spreading.

The infection begins with a spearphishing email guiding the victim to download a password-protected archive. The dropper — dubbed LucidPan — disguises itself as a Trend Micro security product, complete with a forged icon and application name.

It also drops decoy documents, including a government-issued letter sent to Taiwanese universities, to keep the victim distracted while the malicious chain executes silently in the background.

Infection Mechanism and Persistence

Once on the system, LucidPan abuses a legitimate Windows binary associated with the Deployment Image Servicing and Management framework.

It exploits DLL search order hijacking, dropping DismCore.dll — the LucidRook stager — into a hidden directory alongside the legitimate executable index.exe. When the victim clicks the disguised LNK file, it triggers index.exe, which then loads the malicious DismCore.dll.

Persistence is established through an LNK file placed in the Windows Startup folder, which launches msedge.exe after the binaries are dropped — impersonating Microsoft Edge to blend into normal system activity. The stager is written to %APPDATA%, and DismCore.dll is disguised under that name to avoid raising immediate suspicion.

Before reaching out to its command-and-control infrastructure, LucidRook gathers the username, computer name, drive details, running processes, and installed software.

This data is stored in three encrypted files — 1.bin, 2.bin, and 3.bin — packaged into a password-protected archive using RSA keys.

The stager then communicates with compromised FTP servers operated by Taiwanese printing companies whose credentials were publicly listed on their websites, uploading the collected data and retrieving an encrypted Lua bytecode payload.

To further harden itself against analysis, LucidRook applies a non-standard safe mode that disables dynamic library loading and employs a string obfuscation scheme using a parallel lookup table to conceal embedded strings at runtime.

Cisco Talos has published indicators of compromise on its GitHub repository to help defenders identify this threat.

Organizations are advised to apply strict email filtering to catch spearphishing attempts, monitor for unusual DLL sideloading activity and processes launched from %APPDATA%, secure FTP servers to prevent credential exposure, and deploy the Snort detection rules released by Cisco Talos covering LucidRook, LucidPan, and related components.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.