HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

LucidRook Lua Malware Delivered via Phishing Targets Taiwanese NGOs and Universities

LucidRook, a Lua‑based malware, was distributed through spear‑phishing emails containing password‑protected RAR archives. The campaign, linked to the UAT‑10362 threat group, targeted NGOs and universities in Taiwan, using legitimate Windows tools for stealthy execution and persistence.

🛡️ LiveThreat™ Intelligence · 📅 April 10, 2026· 📰 securityaffairs.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

LucidRook Lua‑Based Malware Delivered via Phishing Targets Taiwanese NGOs and Universities

What Happened – A Lua‑written malware family named LucidRook was used in spear‑phishing campaigns against non‑profits and higher‑education institutions in Taiwan. The attacks leveraged password‑protected RAR archives sent from apparently legitimate mail servers, with the decryption password disclosed in the email body. Two infection chains were observed: a LNK‑based dropper that abuses PowerShell and DLL sideloading via the signed DISM binary, and a .NET EXE dropper that decodes Base64 payloads and also uses DISM for sideloading.

Why It Matters for TPRM

  • Attackers exploit trusted email infrastructure, making detection harder for third‑party vendors that provide email services.
  • Use of legitimate Windows utilities (DISM, PowerShell) demonstrates a “living‑off‑the‑land” technique that can bypass traditional endpoint controls.
  • Compromise of NGOs and universities may expose sensitive research data, donor information, and intellectual property, raising supply‑chain risk for partners that rely on these institutions.

Who Is Affected – Education & research institutions, non‑governmental organizations, and any third‑party service providers that host or process their data (e.g., cloud storage, collaboration platforms).

Recommended Actions

  • Verify that email service providers enforce DMARC, SPF, and DKIM and monitor for anomalous outbound mail.
  • Harden endpoint defenses: block execution of unsigned LNK files from user directories, enforce application control policies for DISM and PowerShell scripts.
  • Conduct phishing awareness training focused on password‑protected archive attachments and shortened URLs.
  • Review incident response playbooks for “living‑off‑the‑land” malware and ensure logs from email gateways and endpoint telemetry are retained.

Technical Notes

  • Attack vector: Spear‑phishing with password‑protected RAR archives; shortened URLs to download payloads.
  • Malware stages: LucidPawn dropper → DISM sideloading → LucidRook stager. Two delivery mechanisms (LNK shortcut, .NET EXE).
  • Persistence: Malicious LNK placed in the Startup folder.
  • Tools abused: PowerShell, DISM (signed Windows binary), LOLBAS techniques.
  • Indicators: Shortened URLs, password‑protected RAR archives, DLL sideloading via DISM, LNK files in user Startup.

Source: Security Affairs – UAT‑10362 linked to LucidRook attacks targeting Taiwan‑based institutions

📰 Original Source
https://securityaffairs.com/190598/security/uat-10362-linked-to-lucidrook-attacks-targeting-taiwan-based-institutions.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →