A previously undocumented threat activity cluster now drives an ongoing malicious campaign targeting the education and healthcare sectors in the United States since at least December 2025.
Specifically, researchers at Cisco Talos track the campaign under the moniker UAT-10027. Ultimately, the attackers aim to deploy a never-before-seen backdoor codenamed Dohdoor.
“Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,” security researchers Alex Karkins and Chetan Raghuprasad said in a technical report.
Initial Access and Multi-Stage Infection Chain
Although researchers have not yet identified the initial access vector, evidence suggests that threat actors rely on social engineering phishing techniques, which ultimately trigger the execution of a PowerShell script.
Subsequently, the script downloads and executes a Windows batch script from a remote staging server. In turn, that batch script retrieves a malicious Windows dynamic-link library (DLL) named “propsys.dll” or “batmeter.dll.”
Next, attackers launch the DLL payload (Dohdoor) through legitimate Windows executables such as “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe.” To achieve this, they leverage a technique known as DLL side-loading. As a result, the implanted backdoor retrieves a next-stage payload directly into the victim’s memory and executes it. Researchers assess this payload as a Cobalt Strike Beacon, associated with Cobalt Strike.
Stealth Tactics and Command-and-Control Infrastructure
To further evade detection, the threat actor hides the C2 servers behind the Cloudflare infrastructure. Consequently, all outbound traffic from the compromised machine appears as legitimate HTTPS communication directed to a trusted global IP address.
“The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,” Talos said.
“This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by traditional network security infrastructure.”
In addition, Dohdoor actively unhooks system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll, thereby further strengthening its evasion capabilities.
Raghuprasad told The Hacker News that, “the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface. Additionally, one of the affected entities was a healthcare facility, specifically for older people care.”
Notably, investigators have found no evidence of data exfiltration so far. Moreover, researchers have not observed any final payload beyond what appears to be the Cobalt Strike Beacon, which attackers use to maintain backdoor access within victim environments.
Nevertheless, analysts believe UAT-10027 likely operates with financial motivations, based on the victimology pattern, the researcher added.
Attribution Questions and Possible Lazarus Links
At this stage, researchers have not identified the operators behind UAT-10027. However, Cisco Talos identified tactical similarities between Dohdoor and LazarLoader, a downloader previously linked to the North Korean threat group Lazarus Group in attacks targeting South Korea.
“While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting,” Talos concluded.
“However, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.”
Source: TheHackerNews
Read more at Impreza News
