uat-10362-lucidrook-taiwan-2026-04-08
UAT-10362 LucidRook LNK archive chain against Taiwanese organizations
Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set
likely
IIM v1.1
UAT-10362
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
entry
email
spear-phishing email targeting Taiwanese NGO or suspected university
2
redirector
url
shortened URL leading to password-protected encrypted RAR archive
IIM-T016
3
staging
file
password-protected encrypted RAR archive containing LNK lure and hidden directory
IIM-T024
4
staging
file
malicious LNK file with substituted PDF icon
5
staging
file
hidden four-level directory containing DismCore.dll, install.exe and decoy file
6
staging
file
LucidPawn dropper DismCore.dll
7
payload
file
LucidRook DLL stager written as DismCore.dll
8
c2
ip
1.34.253.131
IIM-T004
9
c2
ip
59.124.71.242
IIM-T004
10
payload
file
archive1.zip staged Lua bytecode payload from FTP C2
11
staging
file
archive4.zip encrypted host reconnaissance upload
IIM-T024
12
c2
domain
d.2fcc7078.digimg.store
Relations
directed infrastructure edgese1referencese2
confirmed
e2downloade3
confirmed
e3dropse4
confirmed
e3dropse5
confirmed
e4executee6
confirmed
e6dropse7
confirmed
e6executee7
confirmed
e7connecte8
confirmed
e7connecte9
confirmed
e8downloade10
confirmed
e7dropse11
confirmed
e7communicates-withe8
confirmed
e7communicates-withe12
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
spear-phishing email targeting Taiwanese NGO or suspected university |
Talos reports spear-phishing emails against Taiwanese NGOs and suspected universities as the delivery context for LucidRook. |
|
e2 |
url | shortened URL leading to password-protected encrypted RAR archive |
Talos states that the email contained a shortened URL which led to a password-protected and encrypted RAR archive, with the password included in the email body. |
e3 |
file | password-protected encrypted RAR archive containing LNK lure and hidden directory |
Talos describes the LNK-based samples as delivered as an archive containing an LNK file, a decoy document with substituted PDF icon, and a hidden directory. |
e4 |
file | malicious LNK file with substituted PDF icon |
Talos reports LNK files in the archive that launch the embedded malware via the hidden directory contents. |
e5 |
file | hidden four-level directory containing DismCore.dll, install.exe and decoy file |
Talos states that the hidden directory contains four layers of nested folders and that the fourth-level directory contains LucidPawn, a legitimate EXE and a decoy file. |
e6 |
file | LucidPawn dropper DismCore.dll |
Talos tracks the initial dropper in the LNK infection chain as LucidPawn and names DismCore.dll in the hidden directory. |
e7 |
file | LucidRook DLL stager written as DismCore.dll |
Talos reports that LucidPawn decrypts and writes the LucidRook stager as DismCore.dll under the WindowsApps path. |
e8 |
ip | 1.34.253.131 |
Cisco Talos IOC repository lists 1.34.253.131 as an abused FTP server for LucidRook. |
e9 |
ip | 59.124.71.242 |
Cisco Talos IOC repository lists 59.124.71.242 as an abused FTP server for LucidRook. |
e10 |
file | archive1.zip staged Lua bytecode payload from FTP C2 |
Talos reports that LucidRook retrieves archive1.zip from the C2 over FTP and executes the Lua bytecode after unpacking and validation. |
e11 |
file | archive4.zip encrypted host reconnaissance upload |
Talos reports that collected system information is archived into archive4.zip and uploaded to the C2 FTP server. |
e12 |
domain | d.2fcc7078.digimg.store |
Cisco Talos IOC repository lists d.2fcc7078.digimg.store as a DNS beaconing domain for LucidRook-related activity. |
ATT&CK annotations
optional complementary mappingNo ATT&CK annotations included.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "uat-10362-lucidrook-taiwan-2026-04-08",
"title": "UAT-10362 LucidRook LNK archive chain against Taiwanese organizations",
"description": "Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.",
"actor_id": "UAT-10362",
"observed_at": "2025-10-01T00:00:00Z",
"confidence": "likely",
"x_references": [
{
"title": "New Lua-based malware ‘LucidRook’ observed in targeted attacks against Taiwanese organizations",
"publisher": "Cisco Talos",
"published": "2026-04-08",
"url": "https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/"
},
{
"title": "New Lua-based malware LucidRook IOCs",
"publisher": "Cisco Talos GitHub IOCs",
"published": "2026-04-08",
"url": "https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt"
}
],
"entities": [
{
"id": "e1",
"type": "email",
"value": "spear-phishing email targeting Taiwanese NGO or suspected university",
"evidence": [
"Talos reports spear-phishing emails against Taiwanese NGOs and suspected universities as the delivery context for LucidRook."
]
},
{
"id": "e2",
"type": "url",
"value": "shortened URL leading to password-protected encrypted RAR archive",
"evidence": [
"Talos states that the email contained a shortened URL which led to a password-protected and encrypted RAR archive, with the password included in the email body."
]
},
{
"id": "e3",
"type": "file",
"value": "password-protected encrypted RAR archive containing LNK lure and hidden directory",
"evidence": [
"Talos describes the LNK-based samples as delivered as an archive containing an LNK file, a decoy document with substituted PDF icon, and a hidden directory."
]
},
{
"id": "e4",
"type": "file",
"value": "malicious LNK file with substituted PDF icon",
"evidence": [
"Talos reports LNK files in the archive that launch the embedded malware via the hidden directory contents."
]
},
{
"id": "e5",
"type": "file",
"value": "hidden four-level directory containing DismCore.dll, install.exe and decoy file",
"evidence": [
"Talos states that the hidden directory contains four layers of nested folders and that the fourth-level directory contains LucidPawn, a legitimate EXE and a decoy file."
]
},
{
"id": "e6",
"type": "file",
"value": "LucidPawn dropper DismCore.dll",
"evidence": [
"Talos tracks the initial dropper in the LNK infection chain as LucidPawn and names DismCore.dll in the hidden directory."
]
},
{
"id": "e7",
"type": "file",
"value": "LucidRook DLL stager written as DismCore.dll",
"evidence": [
"Talos reports that LucidPawn decrypts and writes the LucidRook stager as DismCore.dll under the WindowsApps path."
]
},
{
"id": "e8",
"type": "ip",
"value": "1.34.253.131",
"evidence": [
"Cisco Talos IOC repository lists 1.34.253.131 as an abused FTP server for LucidRook."
]
},
{
"id": "e9",
"type": "ip",
"value": "59.124.71.242",
"evidence": [
"Cisco Talos IOC repository lists 59.124.71.242 as an abused FTP server for LucidRook."
]
},
{
"id": "e10",
"type": "file",
"value": "archive1.zip staged Lua bytecode payload from FTP C2",
"evidence": [
"Talos reports that LucidRook retrieves archive1.zip from the C2 over FTP and executes the Lua bytecode after unpacking and validation."
]
},
{
"id": "e11",
"type": "file",
"value": "archive4.zip encrypted host reconnaissance upload",
"evidence": [
"Talos reports that collected system information is archived into archive4.zip and uploaded to the C2 FTP server."
]
},
{
"id": "e12",
"type": "domain",
"value": "d.2fcc7078.digimg.store",
"evidence": [
"Cisco Talos IOC repository lists d.2fcc7078.digimg.store as a DNS beaconing domain for LucidRook-related activity."
]
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"review_notes": "The public report describes the email class but not a canonical sender or exact message body."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [
"IIM-T016"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e4",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "LNK execution is endpoint behavior / file type context, not an IIM infrastructure technique."
},
{
"entity_id": "e5",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Four nested folders are modeled as staging structure, not IIM-T025, because Talos describes nested directories rather than archive-in-archive delivery."
},
{
"entity_id": "e6",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "DLL search order hijacking and persistence belong to ATT&CK, not IIM."
},
{
"entity_id": "e7",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e8",
"role": "c2",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"review_notes": "Talos says the FTP servers appear abused/compromised and were operated by printing companies; Compromised Legitimate Host is therefore likely, not confirmed by server-side forensic access in the public report."
},
{
"entity_id": "e9",
"role": "c2",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "likely"
},
{
"entity_id": "e10",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e11",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Archive used for exfil packaging; retained as a staging artifact, not a terminal payload."
},
{
"entity_id": "e12",
"role": "c2",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"review_notes": "The IOC list labels this as DNS beaconing domain; the public article excerpt does not provide enough behavior to assign a more specific IIM technique."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "references",
"sequence_order": 1,
"confidence": "confirmed"
},
{
"from": "e2",
"to": "e3",
"type": "download",
"sequence_order": 2,
"confidence": "confirmed"
},
{
"from": "e3",
"to": "e4",
"type": "drops",
"sequence_order": 3,
"confidence": "confirmed"
},
{
"from": "e3",
"to": "e5",
"type": "drops",
"sequence_order": 4,
"confidence": "confirmed"
},
{
"from": "e4",
"to": "e6",
"type": "execute",
"sequence_order": 5,
"confidence": "confirmed"
},
{
"from": "e6",
"to": "e7",
"type": "drops",
"sequence_order": 6,
"confidence": "confirmed"
},
{
"from": "e6",
"to": "e7",
"type": "execute",
"sequence_order": 7,
"confidence": "confirmed"
},
{
"from": "e7",
"to": "e8",
"type": "connect",
"sequence_order": 8,
"confidence": "confirmed"
},
{
"from": "e7",
"to": "e9",
"type": "connect",
"sequence_order": 9,
"confidence": "confirmed"
},
{
"from": "e8",
"to": "e10",
"type": "download",
"sequence_order": 10,
"confidence": "confirmed"
},
{
"from": "e7",
"to": "e11",
"type": "drops",
"sequence_order": 11,
"confidence": "confirmed"
},
{
"from": "e7",
"to": "e8",
"type": "communicates-with",
"sequence_order": 12,
"confidence": "confirmed"
},
{
"from": "e7",
"to": "e12",
"type": "communicates-with",
"sequence_order": 13,
"confidence": "likely"
}
],
"x_notes": [
"Only the LNK-based LucidRook path is modeled here. Talos also describes a separate EXE-based path; model that as a second chain if you want variant coverage instead of one mixed chain.",
"OAST-service abuse is mentioned in Talos' summary, but the public text available in the article does not give enough observable structure to place it cleanly in this chain without over-modeling."
]
}