Overview
- Cisco Talos, which analyzed intrusions from October 2025, says spear‑phishing with password‑protected archives hit NGOs and universities in Taiwan.
- One chain uses a PDF‑themed shortcut that launches the LucidPawn dropper and then side‑loads LucidRook through a trusted Windows program.
- A second chain impersonates Trend Micro security software, using a .NET dropper to side‑load LucidRook and show a bogus completion notice.
- The stager is a DLL that embeds a Lua 5.4.8 interpreter and Rust libraries, performs system recon, encrypts the data with RSA into password‑protected files, and uploads it over FTP.
- The operation limits execution to Traditional Chinese systems, relies on public or compromised services and a related tool, LucidKnight, to move data through channels like Gmail, and remains partly opaque because the second‑stage Lua payload was not recovered.