N8N N8mare How Threat Actors Exploit AI Workflow Automation

N8N N8mare How Threat Actors Exploit AI Workflow Automation

The latest threat report from Cisco Talos, published 2026-04-16, uncovers a sophisticated malware campaign targeting Taiwanese non‑governmental organizations and universities. The campaign centers on a Lua‑based stager named LucidRook, delivered through spear‑phishing and malicious LNK/EXE files that masquerade as antivirus utilities. The actors, referred to as UAT‑10362, employ a modular toolkit consisting of LucidPawn, LucidRook, and LucidKnight, each tailored for reconnaissance, staging, or exfiltration.

Infection Overview

UAT‑10362 initiates contact via spear‑phishing emails that contain a password‑protected archive. The archive includes a malicious LNK file that invokes a PowerShell script from the Pester module, a living‑off‑the‑land technique that bypasses traditional AV detection. The LNK points to a hidden directory with nested folders where the LucidPawn dropper (DismCore.dll) and a fake installer (install.exe) reside. When executed, LucidPawn decrypts two AES‑encrypted binaries— a legitimate DISM executable and the LucidRook stager— and writes them to %APPDATA% under disguised names (msedge.exe and DismCore.dll). Persistence is achieved by creating a startup LNK that launches msedge.exe, which then sideloads LucidRook through DLL search order hijacking.

In a parallel infection vector, a .NET dropper named Cleanup.exe is distributed as a 7‑Zip archive titled “Cleanup(密碼:33665512).7z”. The dropper impersonates Trend Micro Worry‑Free Business Security Services and writes the same set of binaries to C:\ProgramData before exiting with a benign message box. Both infection chains share the same exfiltration mechanics—uploading encrypted system data to compromised FTP servers—yet differ in delivery method and user interface cues.

LucidRook Stager Mechanics

LucidRook is a 64‑bit Dynamic‑Link Library that embeds a Lua 5.4.8 interpreter and Rust‑compiled native modules. Upon loading, the DLL initiates host reconnaissance, collecting user, system, and process data into three binary files (1.bin, 2.bin, 3.bin). The data are encrypted twice: first with an RSA public key (hash ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175) and then with a password‑protected ZIP archive (password !,OO5*+ZEYORE%&.K1PQHxiODU^RA046). The encrypted archive is uploaded to an FTP server owned by a Taiwanese printing company, using stored credentials embedded in the stager. A second FTP session retrieves an encrypted Lua bytecode payload (archive1.zip), which is decrypted with a second RSA key pair (private key hash 7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33). The bytecode is then executed inside the embedded Lua interpreter, granting the actor remote code execution capabilities.

String obfuscation is advanced: each string is XOR‑encrypted with a runtime key derived from a constant seed and a per‑string mask stored in a lookup table. Addresses are calculated via arithmetic operations that vary per string, making static analysis difficult. The stager also implements a safe mode that disables package.loadlib, preventing dynamic DLL loading, and it omits the Lua debug library to reduce introspection potential.

LucidKnight Reconnaissance Tool

LucidKnight, a lightweight DLL, is delivered by LucidPawn in a variant that omits the OAST beacon. After dropping, it gathers system information and writes four text files that are encrypted with a third RSA key (hash 852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66) and zipped with password xZh>1<{Km1YD3[V>x]X>=1u(Da)Y=N>u. Exfiltration is performed via Gmail: the tool authenticates to [email protected] using an embedded application key and sends the archive to [email protected]. The email subject is encoded in UTF‑8 (運動資訊平台) and the attachment is a base64‑encoded ZIP.

Geographic Anti‑Analysis

Both LucidPawn and LucidKnight include a UI language check that compares GetUserDefaultUILanguage() to 0x0404 (zh‑TW). The mask clears bit 0x0800, allowing 0x0404 and 0x0C04 (zh‑HK) to pass. This gate ensures the malware runs only on systems configured for Traditional Chinese, effectively evading analysis sandboxes that default to en‑US.

Indicators of Compromise

  • Malicious IPs: 1[.]34[.]253[.]131, 59[.]124[.]71[.]242
  • DNS Beacon: D[.]2fcc7078[.]digimg[.]store
  • Emails: [email protected], [email protected]
  • MD5 Hashes: d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a, adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143, b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d, …

Recommendations

1. Enhance Email Security: Deploy advanced phishing detection, URL reputation services, and sandboxed attachment analysis. Block known malicious domains such as hxxps://storage[.]ghost[.]io and hxxps://blog[.]talosintelligence[.]com.

2. Monitor FTP Usage: Detect outbound FTP sessions to known compromised servers and enforce strict outbound firewall rules. Consider replacing FTP with secure SFTP or TLS‑enabled protocols.

3. Implement Domain/Certificate Whitelisting: Allow outbound connections only to approved domains and certificates. Block hxxps://dnslog[.]ink and other known OAST services unless explicitly required.

4. Strengthen Defense in Depth: Enable Windows Defender Credential Guard, disable unused services, and use AppLocker or Software Restriction Policies to block execution of unknown DLLs and executables from AppData or ProgramData.

5. Conduct Red Team Exercises: Simulate spear‑phishing campaigns using LNK and .EXE dropper vectors to validate detection coverage and response readiness.

6. Update Threat Intelligence Feeds: Subscribe to Cisco Talos, AlienVault OTX, and other feeds to receive real‑time IOC updates. Integrate these feeds with SIEM and SOAR platforms to automate alerting and containment.

Conclusion

The LucidRook, LucidPawn, and LucidKnight family demonstrates a highly engineered, modular approach to targeted intrusion. By combining sophisticated obfuscation, geo‑targeted anti‑analysis, and low‑cost C2 infrastructure, UAT‑10362 has crafted a threat that is difficult to detect with traditional signature‑based tools. However, with robust email filtering, strict outbound controls, and continuous threat intelligence integration, defenders can mitigate the risk of compromise and reduce the attack surface for this and similar campaigns.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading