The previously undocumented cluster of threat activity is believed to stem from an ongoing malicious campaign targeting the education and healthcare sectors in the United States since at least December 2025.
This campaign is tracked by Cisco Talos as UAT-10027. The ultimate goal of the attack is to deliver a never-before-seen backdoor codenamed Dohdoor.
“Dohdoor utilizes DNS-over-HTTPS (DoH) technology for command-and-control (C2) communications and has the ability to reflexively download and execute other payload binaries,” security researchers Alex Karkins and Chetan Raghuprasad said in a technical report shared with The Hacker News.
The initial access vector used in this campaign is currently unknown, but is believed to include the use of social engineering phishing techniques leading to the execution of PowerShell scripts.
The script then downloads and runs the Windows batch script from the remote staging server. This facilitates the download of a malicious Windows dynamic link library (DLL) named ‘propsys.dll’ or ‘batmeter.dll’.
DLL payloads (such as Dohdoor) are launched by legitimate Windows executables (such as “Fondue.exe”, “mblctr.exe”, and “ScreenClippingHost.exe”) using a technique known as DLL sideloading. The backdoor access created by the implant is used to retrieve and execute the next stage payload directly into the victim’s memory. The payload is assessed to be a Cobalt Strike Beacon.
“The attackers hide their C2 servers behind the Cloudflare infrastructure, making all outbound communications from the victim machines appear as legitimate HTTPS traffic to trusted global IP addresses,” Talos said.
“This technology bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain searches, ensuring that malware C2 communications remain stealth through traditional network security infrastructure.”
Dohdoor has also been found to unhook system calls in order to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll.
It is not currently clear who is behind UAT-10027, but Cisco Talos said it has found some tactical similarities between Dohdoor and Lazarloader. Lazarloader is a downloader previously identified as being used by the North Korean hacker group Lazarus in attacks targeting South Korea.
“Although the UAT-10027 malware has technical overlap with the Lazarus Group, the focus of this campaign is on the education and healthcare sectors, deviating from Lazarus’ typical profile of cryptocurrency and defense targets,” Talos concluded.
“but, […] North Korean APT attackers have used Maui ransomware to target the healthcare sector, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlap between UAT-10027’s victims and those of other North Korean APTs.
Source link
