New Lua-based malware LucidRook observed in targeted attacks against Taiwanese organizations
Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities.
AI Analysis
Technical Summary
LucidRook is a newly discovered Lua-based malware stager observed by Cisco Talos in spear-phishing attacks against Taiwanese organizations. The malware was delivered in October 2025 via emails that appear to have been sent through authorized mail infrastructure, indicating potential abuse of legitimate email systems. LucidRook is part of a malware family including LucidPawn and LucidKnight and is associated with the Immortal stealer. Indicators of compromise include multiple file hashes, IP addresses, and domains. There is no indication of a software vulnerability exploited; rather, this is a targeted malware campaign using social engineering.
Potential Impact
The impact involves targeted compromise of Taiwanese organizations through spear-phishing delivering the LucidRook malware stager. Successful infection could lead to further malicious activity associated with the malware family, including data theft via the Immortal stealer. There are no reports of widespread exploitation or automated attacks. The attack leverages legitimate mail infrastructure, which may complicate detection and mitigation.
Mitigation Recommendations
No official patch or fix is applicable as this is malware delivered via spear-phishing. Organizations should focus on email security controls, including validating email sources, monitoring for misuse of authorized mail infrastructure, and user awareness training to recognize spear-phishing attempts. Since the vendor advisory does not indicate any 'no action required' status or official fixes, these mitigations are recommended based on the nature of the threat.
Affected Countries
Taiwan
Indicators of Compromise
- hash: 0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34
- hash: 11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae
- hash: 166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d
- hash: 6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9
- hash: 7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33
- hash: 852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66
- hash: a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a
- hash: aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1
- hash: ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175
- hash: adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143
- hash: b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d
- hash: bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d
- hash: c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc
- hash: d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a
- hash: d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964
- hash: edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809
- hash: f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839
- hash: fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056
- ip: 1.34.253.131
- ip: 59.124.71.242
- domain: powerscrews.com
- domain: d.2fcc7078.digimg.store
New Lua-based malware LucidRook observed in targeted attacks against Taiwanese organizations
Description
Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LucidRook is a newly discovered Lua-based malware stager observed by Cisco Talos in spear-phishing attacks against Taiwanese organizations. The malware was delivered in October 2025 via emails that appear to have been sent through authorized mail infrastructure, indicating potential abuse of legitimate email systems. LucidRook is part of a malware family including LucidPawn and LucidKnight and is associated with the Immortal stealer. Indicators of compromise include multiple file hashes, IP addresses, and domains. There is no indication of a software vulnerability exploited; rather, this is a targeted malware campaign using social engineering.
Potential Impact
The impact involves targeted compromise of Taiwanese organizations through spear-phishing delivering the LucidRook malware stager. Successful infection could lead to further malicious activity associated with the malware family, including data theft via the Immortal stealer. There are no reports of widespread exploitation or automated attacks. The attack leverages legitimate mail infrastructure, which may complicate detection and mitigation.
Mitigation Recommendations
No official patch or fix is applicable as this is malware delivered via spear-phishing. Organizations should focus on email security controls, including validating email sources, monitoring for misuse of authorized mail infrastructure, and user awareness training to recognize spear-phishing attempts. Since the vendor advisory does not indicate any 'no action required' status or official fixes, these mitigations are recommended based on the nature of the threat.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/"]
- Adversary
- null
- Pulse Id
- 69d65cbe07a5f680cde16920
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34 | — | |
hash11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae | — | |
hash166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d | — | |
hash6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9 | — | |
hash7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33 | — | |
hash852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66 | — | |
hasha42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a | — | |
hashaa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1 | — | |
hashab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175 | — | |
hashadf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143 | — | |
hashb480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d | — | |
hashbdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d | — | |
hashc2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc | — | |
hashd49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a | — | |
hashd8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 | — | |
hashedb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 | — | |
hashf279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839 | — | |
hashfd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip1.34.253.131 | — | |
ip59.124.71.242 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainpowerscrews.com | — | |
domaind.2fcc7078.digimg.store | — |
Threat ID: 69d683e41cc7ad14da8df5e3
Added to database: 4/8/2026, 4:35:48 PM
Last enriched: 4/8/2026, 4:50:48 PM
Last updated: 4/9/2026, 7:42:55 AM
Views: 34
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.