Cisco Talos has discovered a new and dangerous malware family called LucidRook that is targeting NGOs and universities in Taiwan. Hackers delivered this malware disguised as genuine security software like Trend Micro. Find out the full story, technical structure and real purpose of this sophisticated cyberattack.
Rising Cyber Threats Against Taiwan
Taiwan is among the countries facing the most cyber attacks today. According to Taiwan National Security Bureau, in 2025 an average of 2.63 million cyber intrusion attempts were made from China on Taiwan’s critical infrastructure every day. This is no small thing, more than 26 lakh hacker attacks every day. Energy sector, hospitals, telecom, government agencies and nothing is safe.
But the new dangerous series that has emerged in 2026 is much more sophisticated and Chinese than before. Cisco Talos, the world’s largest cybersecurity intelligence team, has uncovered a brand-new malware family they have named LucidRook. And the way this malware was delivered makes this campaign incredibly dangerous.
Malware Hidden Behind Security Software
Imagine if a doctor gives you poison in a bottle with a medicine label. This is what was done in the LucidRook campaign. Hackers disguised their malware as Trend Micro Worry Free Business Security Services. This is a genuine and popular security software that is widely used in Taiwan. When a common user or IT professional sees this file, the first thought that comes to his mind is that it is a legitimate security tool. This trust was exploited.
This malware was delivered as a password protected 7-Zip archive named Cleanup (密碼:33665512).7z i.e. an archive written in Chinese with a password attached. When the user opened this archive, they found Cleanup.exe inside which used the icon and application name of Trend Micro. But researchers from Cisco Talos noticed another thing that the compilation timestamp of this file was 2065 i.e. a date which has not yet come. This was done deliberately so that automated security tools would get confused and not be able to detect the actual age of this file.
The Beginning When and How It Started
Cisco Talos first observed a spear-phishing attack in October 2025 targeting a Taiwanese NGO. Spear phishing means that it was not a general email blast sent to thousands of people but rather a carefully crafted email specifically designed for the NGO employees. The email was sent through an authorized mail infrastructure meaning the hackers misused a legitimate email sending service so the email could pass through spam filters and reach the recipients inbox.
The email contained a shortened URL. When the user clicked on the link, a password-protected encrypted RAR archive was downloaded, and the password for the archive was written in the email body itself. This technique is used so that encrypted archives evade antivirus scanners. Providing the password in the email requires the user to manually open the archive, adding a layer of human involvement that bypasses automated detection.
Also within this archive was a decoy document a copy of a genuine government letter sent by the Taiwanese government to universities, containing instructions regarding administrative rules for teachers. This decoy document was genuine its original version was also available on the official Taiwanese government website. The purpose of this trick was to make the target believe they had just downloaded a government document while malware was silently being installed in the background.
LucidPawn The Gateway to Malware
When the infected archive was opened, the first stage began which Cisco Talos named LucidPawn. LucidPawn is basically a dropper its job is to install LucidRook on the system. But it is not a straight forward installer. LucidPawn uses a very clever technique called DLL Search Order Hijacking.
When the Windows operating system runs a program, it searches for DLL files in a specific order. Hackers take advantage of this behavior and place their malicious DLL file in the place where Windows looks first. This makes Windows load the malicious file naturally and without any warning, because it thinks it is a legitimate system file. LucidPawn did exactly this. They placed their malicious file named DismCore.dll in the location where the original file of the Windows Deployment Image Servicing and Management (DISM) tool should have been.
The most striking feature of LucidPawn is that it has a geo-targeting anti-analysis check. Meaning this malware checks whether the language setting of the target system is Traditional Chinese which is specifically used in Taiwan. If the language setting of the system is not Traditional Chinese, the malware does not execute.
This is a proof of extraordinary precision. Hackers designed this malware specifically for Taiwan with so much intelligence that it works only on Taiwanese systems. If a security researcher tries to run this file in a sandbox in any other country and it will behave simply or do nothing at all, making analysis impossible.
LucidRook The Most Dangerous Stage
Once LucidPawn has finished its work, LucidRook enters the scene. And this is where technical sophistication reaches a new level. LucidRook is a stager meaning its not the final payload itself but rather an intermediate tool that downloads and executes further malware. But the technical architecture of this stager is so advanced that Cisco Talos researchers have called it mature operational tradecraft.
LucidRook has a full Lua interpreter embedded within it. Lua is a programming language commonly used in game development games like World of Warcraft use Lua for their plugins. Hackers chose Lua because it is lightweight, easily embeddable, and security tools don’t typically flag it. LucidRook also contains libraries compiled into the Rust programming language.
Rust is a modern and high-performance language known for its memory safety hackers achieved both performance and detection evasion due to this. All of these were delivered packaged within a DLL file that was injected into a legitimate service process on Windows.
LucidRooks job was to download Lua bytecode payloads from C2 servers and execute them. Bytecode means that the malwares actual instructions are encoded and not directly readable code and making analysis and detection even more difficult. Cisco Talos has not yet been able to obtain any decryptable Lua bytecode payloads but they have published these findings for early detection.
LucidKnight The Stealthy Surveillance Agent
During the investigation of LucidRook, Cisco Talos discovered another tool called LucidKnight. It is a reconnaissance tool meaning its job is to gather information about the target system. And for this purpose LucidKnight used a method that sounds surprising gmail. Hackers configured LucidKnight in such a way that it sent the stolen system information to them via Gmail.
This is both brilliant and dangerous because Gmail is a widely trusted service. Many organizations don’t block Gmail traffic in their firewalls and network filters, after all, Gmail is a legitimate service. Thus, stolen data would have left the organization’s network hidden in Gmails encrypted traffic without raising any alarm.
The existence of LucidKnight also suggests that hackers operate a tiered toolkit first and profile the target with LucidKnight see what is valuable in the system and then if the target is capable deploy the full LucidRook stager. This is a measured, calculated approach that doesn’t waste resources.
Command and Control Infrastructure
Hackers used two methods to compromise their C2 (Command and Control) infrastructure. The first was to misuse OAST (Out-of-band Application Security Testing) services. These are legitimate developer tools used for network testing, but hackers used them for communication between malware and target systems. The second method was to exploit already compromised FTP servers.
Hackers used someone else already compromised FTP servers as their relay station. This makes attribution difficult because the traffic is seemingly coming from a normal server.
This combination of OAST services and compromised third-party servers is an advanced evasion strategy. If security teams analyze network traffic, they may not find this traffic suspicious because it is not coming from known bad IP addresses. Attackers effectively hide themselves in others infrastructure.
UAT-10362 Explained Who Behind the Threat?
Cisco Talos has tracked this campaign as UAT-10362. This is an unattributed threat actor, meaning Talos has not yet publicly blamed any specific country or group. But a few things clearly indicate this. Targets are exclusively Taiwanese NGOs and universities.
Language checks are specifically for Taiwanese Traditional Chinese. Decoy documents are from the Taiwanese government. In 2025, China’s cyber attacks on Taiwan increased by 900 percent. All of this paints a clearer picture, but official attribution is still pending.
The sophistication of this campaign – multilingual malware (Lua + Rust + .NET), geo-targeted anti-analysis, Gmail-based exfiltration, DLL hijacking – all bear the hallmarks of a state-level or state-sponsored threat actor. Random cybercriminals don’t invest as much resources as targeted NGOs and universities. NGOs and universities generally hold sensitive political information, foreign policy discussions, and research data – exactly the things that are valuable to a nation-state.
What Makes This Attack Unique?
Many cyberattacks are opportunistic. Hackers cast a wide net and catch anyone who wants to. The LucidRook campaign is the exact opposite. Its a surgical strike. The malware only runs on traditional Chinese systems. Decoy documents were created specifically for Taiwanese institutions.
The archives name was in Chinese. Spear-phishing emails were carefully crafted specifically for targeted recipients. All of this means the hackers had deep knowledge of Taiwanese organizations and their internal processes what documents they receive and what their IT infrastructure is like.
The most alarming thing for security experts is that Cisco Talos has not yet been able to decrypt the final payload of this malware. Hackers have encrypted the Lua bytecode in such a way that researchers are unable to understand what happens in the final step whether the data is stolen whether a backdoor is installed, whether ransomware is deployed. This uncertainty itself is a threat. We know that the enemy has entered, but we do not know what he is doing once inside.
The Larger Cyber Threat Landscape Facing Taiwan
Taiwan isn’t just a technology hub; it’s also geopolitically one of the world’s most sensitive regions. Taiwan Semiconductor Manufacturing Company (TSMC) makes more than 90 percent of the worlds advanced chips, the chips that are in your phone, laptop, car and military hardware. Control of Taiwan means control of the global technology supply chain. This is why cyber attacks on Taiwan aren’t just a national problem; they are globally significant.
In 2025 China cyber army launched 2.63 million intrusion attempts daily into Taiwan. Attacks on the energy sector accounted for 900 percent of the total. Telecom networks were compromised. Hospitals were hit by ransomware. Now LucidRook has targeted NGOs and universities and organizations that are part of Taiwan’s civil society, foreign policy dialogue and academic research. This is a systematic effort to compromise every institution that serves Taiwan’s sovereignty and international standing.
How to protect yourself?
Protecting against this level of sophisticated attack is certainly difficult, but not impossible. First of all, its important to verify archive files received in unsolicited email before opening them, even if they appear to be government documents. Password-protected archives should be especially suspicious, as this is a common trick to evade antivirus scanning.
IT teams should closely monitor FTP traffic in their networks, especially from unexpected locations. Unusual traffic patterns flowing in and out of Gmail and other email services should be flagged as tools like LucidKnight exploit these channels for data exfiltration.
Organizations should be alert for suspicious DLL files especially DismCore.dll appearing in the Traditional Chinese language environment. And most importantly don’t rely on a single defense layer. Email filtering, network monitoring, endpoint detection and user trainingall work together.
Final Thoughts
The LucidRook campaign is a reminder that the distinction between cyber warfare and traditional warfare is diminishing. The enemy no longer arrives with tanks and missiles; they arrive with a seemingly innocent email, a copy of a government document and hidden behind a security software logo.
Cisco Talos published these findings without yet identifying the final payload which means they know something is going on but the full picture isn’t clear yet. This transparency is commendable but its also a door that remains open for hackers, for researchers and for governments who want to understand where and how the real war is being fought in the digital world.
