Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/LucidRook Malware Delivered by Fake Security Software in Taiwan
Threats

LucidRook Malware Delivered by Fake Security Software in Taiwan

Key Takeaways A new, sophisticated malware, LucidRook, is actively targeting organizations in Taiwan. Attackers are using highly convincing fake security software and spearphishing tactics to deliver...

Sarah simpson
Sarah simpson
April 9, 2026 4 Min Read
25 0

Key Takeaways

  • A new, sophisticated malware, LucidRook, is actively targeting organizations in Taiwan.
  • Attackers are using highly convincing fake security software and spearphishing tactics to deliver the malware.
  • The campaign primarily targets Taiwanese non-governmental organizations (NGOs) and universities.
  • LucidRook utilizes a Lua-based stager and a reconnaissance tool, LucidNight, indicating a deliberate, tiered attack strategy.

Sophisticated LucidRook Malware Targets Taiwanese Entities via Fake Security Software

A recently identified malware strain, dubbed LucidRook, is actively being deployed against organizations across Taiwan. Threat actors are employing advanced deception techniques, embedding this potent malware within what appears to be legitimate security software, according to a detailed analysis.

Table Of Content

  • Key Takeaways
  • Sophisticated LucidRook Malware Targets Taiwanese Entities via Fake Security Software
  • Targeted Spearphishing Campaign
  • Cisco Talos Uncovers the Threat
  • Infection Mechanism and Persistence
  • What You Should Do

The attackers have meticulously crafted their malicious payload to mimic well-known cybersecurity products. This includes forging application icons and names to enhance credibility and trick unsuspecting victims into executing the malware. The sophisticated nature of the campaign points to a highly organized and targeted operation.

Targeted Spearphishing Campaign

The campaign specifically targets Taiwanese non-governmental organizations and academic institutions, primarily universities. Attackers initiate the compromise chain through spearphishing emails containing shortened URLs. These URLs direct recipients to password-protected compressed archives, a common tactic to bypass email security filters.

Inside these archives, victims find highly credible decoy documents. One notable example is an official letter purportedly issued by the Taiwanese government to universities, a lure designed to significantly increase the perceived legitimacy of the malicious package.

All communication, including the spearphishing emails and the decoy materials, is written in Traditional Chinese. This linguistic specificity strongly suggests that the campaign is meticulously localized and deliberately aimed at a Taiwanese audience.

Cisco Talos Uncovers the Threat

Researchers at Cisco Talos were instrumental in uncovering this activity, identifying a cluster of attacks attributed to a threat group tracked as “UT.” The group’s spearphishing efforts against Taiwanese NGOs and universities were specifically designed to deliver LucidRook. This malware is distinguished by its Lua-based architecture and a multi-layered design, showcasing a high level of technical sophistication.

The investigation revealed LucidRook as a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a Windows DLL. This complex engineering allows for flexible and evasive execution on compromised systems.

Beyond LucidRook, researchers also identified a companion reconnaissance tool named LucidNight. The presence of LucidNight indicates a tiered toolkit, suggesting that threat actors likely use it to profile targets and gather intelligence before initiating a full-scale LucidRook deployment. Cisco Talos assesses with medium confidence that this activity represents a targeted intrusion rather than an opportunistic malware distribution.

Infection Mechanism and Persistence

The infection process begins when a victim opens a spearphishing email and downloads a password-protected archive. The dropper, named LucidPan, is disguised as a legitimate Trend Micro security product, complete with a forged icon and application name. LucidPan also drops decoy documents, such as the government-issued letter mentioned earlier, to distract the victim while the malicious payload executes silently in the background.

Once on the system, LucidPan exploits a legitimate Windows binary associated with the Deployment Image Servicing and Management (DISM) framework. It leverages DLL search order hijacking by dropping a malicious DLL, DismCore.dll (which is the LucidRook stager), into a hidden directory alongside the legitimate executable, index.exe. When the victim clicks the disguised LNK file, index.exe is triggered, subsequently loading the malicious DismCore.dll.

Persistence is achieved by placing an LNK file in the Windows Startup folder. This LNK file launches msedge.exe after the malicious binaries are dropped, impersonating Microsoft Edge to blend in with normal system operations. The stager itself is written to the %APPDATA% directory, with DismCore.dll also disguised within this location to avoid immediate detection.

Before establishing communication with its command-and-control (C2) infrastructure, LucidRook meticulously gathers system information. This includes the username, computer name, drive details, a list of running processes, and installed software. This collected data is then stored in three encrypted files—1.bin, 2.bin, and 3.bin—which are subsequently packaged into a password-protected archive using RSA keys.

The stager then communicates with compromised FTP servers, which belong to Taiwanese printing companies whose credentials were publicly accessible on their websites. It uploads the collected data and retrieves an encrypted Lua bytecode payload. To further complicate analysis, LucidRook employs a non-standard safe mode that disables dynamic library loading and utilizes a sophisticated string obfuscation scheme, employing a parallel lookup table to conceal embedded strings during runtime.

What You Should Do

  • Enhance Email Security: Implement robust email filtering solutions to detect and block spearphishing attempts, especially those containing shortened URLs or password-protected archives.
  • User Awareness Training: Conduct regular training for employees and students on identifying sophisticated phishing schemes, social engineering tactics, and the dangers of opening suspicious attachments or links.
  • Monitor for Anomalous Activity: Continuously monitor for unusual DLL sideloading events and processes launched from the %APPDATA% directory, as these are indicators of compromise.
  • Secure FTP Servers: Review and secure all FTP servers, ensuring that credentials are not publicly exposed and that strong authentication measures are in place.
  • Deploy Detection Rules: Implement and regularly update Snort detection rules released by Cisco Talos for LucidRook, LucidPan, and related components to identify and block malicious network activity.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to gain visibility into endpoint activities and detect suspicious behaviors that may indicate malware execution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Hackers Impersonate Linux Foundation Leader on Slack to Target Open Source Developers

Next Post

STX RAT Malware Evades Detection with Hidden RDP and Infostealer Functions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us