← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations
Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities.
The email contained a shortened URL that leads to the download of a password protected and encrypted RAR archive. The decryption password was included in the email body. Based on this email and the collected samples, Talos observed two distinct infection chains originating from the delivered archives.
Indicators of Compromise (8 / 31 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 08e44f25c764212f33b1d05900a14978 | MD5 of adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143 | 2026-04-15 | |
| FileHash-MD5 | 263d2f844fec137f085cece4d6ae45e5 | MD5 of f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839 | 2026-04-15 | |
| FileHash-MD5 | 2b27f9936aebde7f4797fca3f0500eef | MD5 of c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc | 2026-04-15 | |
| FileHash-MD5 | 7a9d42393f803b5b9b90eac05ad6a65a | MD5 of d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a | 2026-04-15 | |
| FileHash-MD5 | 8422c64dcafc83841e8a0ebd93564874 | MD5 of b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d | 2026-04-15 | |
| FileHash-MD5 | d4eacad2b7c0a659713216ae62f77b50 | MD5 of bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d | 2026-04-15 | |
| FileHash-MD5 | ed7a850c9b87054da2c1173797bb5bd7 | MD5 of edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 | 2026-04-15 | |
| FileHash-MD5 | edae483fb8698a3f30b680a02c92525b | MD5 of d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 | 2026-04-15 |