Cisco Talos researchers tracked a new Lua-based modular backdoor called LucidRook used in October 2025 spear-phishing campaigns against NGOs and universities in Taiwan. The attacks, attributed to the threat group UAT-10362, used password-protected archives and dual infection chains that sideloaded LucidRook via a LucidPawn dropper while leveraging Lua bytecode for flexible, stealthy payload updates. #LucidRook #UAT-10362
Keypoints
- LucidRook is a modular backdoor embedding a Lua execution environment to run second-stage payloads as Lua bytecode.
- Cisco Talos attributes the campaign to UAT-10362, which demonstrates mature operational tradecraft.
- Observed attacks in October 2025 used password-protected phishing archives and two infection chains: an LNK-based dropper and a fake Trend Micro AV executable.
- The LNK chain deployed decoy documents mimicking Taiwanese government correspondence to distract targets.
- Collected reconnaissance is RSA-encrypted, archived with passwords, and exfiltrated via FTP or Gmail GMTP using a related tool called LucidKnight.