Cisco Talos identified a sophisticated malware family called LucidRook, delivered via spear-phishing campaigns targeting Taiwanese NGOs and universities. LucidRook acts as a stager embedding a Lua interpreter and Rust-compiled libraries within a DLL to execute staged Lua bytecode payloads. The dropper 'LucidPawn' employs region-specific anti-analysis checks and executes only in Traditional Chinese language environments. Two infection chains were observed, involving malicious LNK/EXE files disguised as antivirus software, leveraging compromised FTP servers and OAST services for C2 infrastructure.
