T1059.011 Lua is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the abuse of Lua, a lightweight, high-level scripting language designed for simplicity, flexibility, and ease of integration into applications. Lua is often used to enable customization and automation within software, particularly in game development, configuration management, and extending functionality in various software tools.
Lua’s portability, speed, and ease of integration have made it popular for embedded scripting tasks, but these very qualities also make it appealing for adversaries. Lua scripts can be embedded in a wide range of applications and services, giving attackers a versatile tool to execute malicious code and automate activities within targeted systems.
To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.
Adversaries use T1059.011 Lua to execute malicious code by abusing the scripting capabilities of Lua within applications or services that already support it. Due to its lightweight nature and ability to be embedded within legitimate software, Lua scripts can often evade detection systems that focus on traditional scripting environments or executable files.
In cyber operations, Lua is commonly weaponized for tasks such as automating malicious actions, creating in-memory payloads, bypassing security mechanisms, and interacting with networked systems. Adversaries may inject Lua scripts into software environments that use Lua for customization or extend the software's behavior to execute secondary payloads. The flexibility of Lua allows attackers to manipulate various systems without the need for external tools, making it a powerful option for stealthy execution and persistence within compromised environments.
By leveraging Lua’s ease of integration and low detection risk, adversaries can effectively execute malicious code while blending into normal application workflows, bypassing detection mechanisms that focus on more traditional attack methods.
While Lua is not among the most common languages used by malware authors, it remains attractive for opportunistic attacks, particularly when embedded in gaming-related tools or cheat engines. Multiple incidents in 2024–2025 involved Lua-based malware masquerading as game cheat tools: victims download a package containing a Lua runtime, obfuscated Lua script and launcher, which then executes malicious payloads or drops additional malware [1].
In addition, a newly observed malware strain appears to dynamically generate Lua scripts at runtime (on Windows, macOS, Linux) for theft and encryption, demonstrating that Lua remains a viable scripting option, especially when paired with languages like Go, or when generated dynamically for evasive purposes [2].
However, as of 2026 there is no widely documented, large-scale enterprise or APT campaign using Lua, public reporting is limited to consumer-focused or opportunistic malware.
Consequently, defenders should treat Lua-based threats as a possible but lower-probability vector in enterprise settings, while remaining aware of evolving techniques (e.g., dynamic script generation, multi-language malware) that may raise the risk in the near future.
The use of Lua by adversaries demonstrates the dual-edged nature of scripting languages: while powerful for legitimate applications, their adaptability can be exploited in malicious contexts, highlighting the importance of monitoring scripting activity within systems.
For instance, in October 2024, security researchers identified Lua malware targeting the educational sector, exploiting Lua gaming engine supplements popular among students. Originating as a packed Lua loader earlier in the year, the malware has evolved into a global threat, often delivered as ZIP archives containing obfuscated Lua scripts and components like Lua compilers and DLL files.
These scripts use advanced obfuscation with the Prometheus obfuscator, making reverse engineering difficult. The malware leverages Lua's flexibility, executing malicious tasks via a command-and-control (C2) server, gathering system data, and establishing persistence through scheduled tasks. It frequently targets users downloading game cheats from platforms like GitHub.
The malware is a precursor to payloads like Redline infostealers, which exfiltrate sensitive data for resale on the dark web. Morphisec combats these threats with its automated moving target defense (AMTD) technology, blocking attacks early without relying on traditional detection methods.
[1] The Hacker News, “Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines,” The Hacker News, Oct. 08, 2024. Available: https://thehackernews.com/2024/10/gamers-tricked-into-downloading-lua.html. [Accessed: Dec. 02, 2025]
[2] AMR, “IT threat evolution in Q3 2025. Non-mobile statistics,” Kaspersky, Nov. 19, 2025. Available: https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/. [Accessed: Dec. 02, 2025]