LucidRook: Fake Security Software Targets Taiwan

April 9, 2026 Faeem BLOGS 0

Cisco Talos researchers have uncovered a sophisticated malware campaign in Taiwan that uses fake security software to deliver LucidRook, a newly identified malware family. The operation, attributed to a threat group tracked as UT, demonstrates advanced deception and layered engineering designed to compromise NGOs and universities.

Infection Chain

  • Delivery method: Spearphishing emails with shortened URLs leading to password-protected archives.
  • Decoy content: Government-issued letters to universities in Traditional Chinese, adding credibility.
  • Dropper (LucidPan): Disguised as a Trend Micro security product, complete with forged icon and name.
  • Execution: Exploits DLL search order hijacking by dropping DismCore.dll (LucidRook stager) alongside legitimate binaries.
  • Persistence: LNK file in Windows Startup folder impersonates Microsoft Edge to blend into normal activity.

LucidRook Malware

  • Architecture: Lua-based stager embedding a Lua interpreter with Rust-compiled libraries inside a Windows DLL.
  • Reconnaissance: Collects usernames, computer names, drive details, processes, and installed software.
  • Data handling: Stores information in encrypted files (1.bin, 2.bin, 3.bin) packaged with RSA keys.
  • Exfiltration: Uses compromised FTP servers belonging to Taiwanese printing companies.
  • Evasion: Employs non-standard safe mode, disables dynamic library loading, and obfuscates strings with parallel lookup tables.

Companion Tools

  • LucidNight: Reconnaissance tool likely used to profile targets before full deployment.
  • LucidPan: Dropper disguised as legitimate security software.

This tiered toolkit suggests a targeted intrusion campaign rather than opportunistic malware spreading.

Defensive Guidance

Organizations in Taiwan and beyond should:

  • Apply strict email filtering to block spearphishing attempts.
  • Monitor for DLL sideloading activity and suspicious processes in %APPDATA%.
  • Secure FTP servers to prevent credential exposure.
  • Deploy Snort detection rules released by Cisco Talos for LucidRook, LucidPan, and LucidNight.

Final Thought

LucidRook exemplifies the next generation of malware deception: blending into trusted security software, using government-themed lures, and layering reconnaissance with advanced obfuscation. For defenders, the lesson is clear — trust nothing at face value, and prioritize visibility into application-level behavior to catch threats that masquerade as legitimate tools.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.