New Lua-based Malware “LucidRook” Observed in Targeted Attacks Against Taiwanese Organizations

Date: 04/09/2026

Severity: Medium

Summary

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments. Accompanied by tools like LucidKnight for reconnaissance and data exfiltration via Gmail, the campaign leverages stealthy techniques, compromised infrastructure, and multi-stage infection chains, indicating a mature and well-resourced threat actor.

Indicators of Compromise (IOC) List

Domains/Urls	d.2fcc7078.digimg.store
IP Address	1.34.253.131 59.124.71.242
Hash	`d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a` `adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143` `b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d` `c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc` `6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9` `bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d` `f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839` `166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d` `11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae` `edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809` `0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34` `d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964` `aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1` `fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056`
Gmail	fexopuboriw972@gmail.com crimsonanabel@powerscrews.com

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "d.2fcc7078.digimg.store" or url like "d.2fcc7078.digimg.store" or siteurl like "d.2fcc7078.digimg.store"
Detection Query 2 :	dstipaddress IN ("59.124.71.242","1.34.253.131") or srcipaddress IN ("59.124.71.242","1.34.253.131")
Detection Query 3 :	sha256hash IN ("edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809","c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc","d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964","d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a","b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d","bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d","f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839","adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143","6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9","166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d","11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae","0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34","aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1","fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056")
Detection Query 4 :	sender in ("fexopuboriw972@gmail.com","crimsonanabel@powerscrews.com") or recipient in ("fexopuboriw972@gmail.com","crimsonanabel@powerscrews.com") or from in ("fexopuboriw972@gmail.com","crimsonanabel@powerscrews.com")

Reference:

https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/

New Lua-based Malware “LucidRook” Observed in Targeted Attacks Against Taiwanese Organizations

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

New Lua-based Malware “LucidRook” Observed in Targeted Attacks Against Taiwanese Organizations

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments