A previously undocumented threat group, UAT-10027, is targeting U.S. education and healthcare sectors with a new backdoor called Dohdoor. The malware uses DNS-over-HTTPS for stealthy communications and DLL side-loading for execution, ultimately deploying a Cobalt Strike Beacon. While the campaign's financial motive and victim profile show some overlap with North Korean threat actors, a definitive attribution has not been made. The main topics covered are the identification of a new cyber threat campaign, the technical details of the Dohdoor malware, and the analysis of potential attribution to a known threat actor.
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.
The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.
"Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively," security researchers Alex Karkins and Chetan Raghuprasad said in a technical report shared with The Hacker News.
Although the initial access vector used in the campaign is currently not known, it's suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script.
The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."
The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as DLL side-loading. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim's memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.
"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address," Talos said.
"This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware's C2 communications remain stealth by traditional network security infrastructure."
Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll.
Raghuprasad told The Hacker News that, "the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface. Additionally, one of the affected entities was a healthcare facility, specifically for elderly care."
Analysis of the campaign has revealed no evidence of data exfiltration to date. Although no final payloads have been observed other than what appears to be the Cobalt Strike Beacon to backdoor into the victim's environment, it's believed that UAT-10027's actions are likely driven by financial gain based on the victimology pattern, the researcher added.
There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and LazarLoader, a downloader previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea.
"While UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting," Talos concluded.
"However, [...] North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs."
Meridiano
