A newly identified cyber threat, designated as UAT-10027, is actively targeting the education and healthcare sectors in the United States. This malicious campaign, which began in December 2025, is orchestrated to deploy a novel backdoor known as Dohdoor. Cisco Talos has been closely monitoring this threat, which leverages advanced techniques for its operations.
Innovative Methods in Cyber Attacks
The Dohdoor malware utilizes DNS-over-HTTPS (DoH) for its command-and-control communications, allowing it to clandestinely download and execute additional payloads. According to security experts Alex Karkins and Chetan Raghuprasad, the initial method of infiltration is suspected to involve social engineering via phishing, which triggers a PowerShell script execution.
This script subsequently downloads a Windows batch script from a remote server, facilitating the installation of a malicious DLL, identified as either “propsys.dll” or “batmeter.dll.” The execution of this DLL is achieved through DLL side-loading, using legitimate Windows executables such as “Fondue.exe” and “mblctr.exe.” This process enables the backdoor to directly inject further malicious payloads into the victim’s system memory.
Stealth Techniques and Evasion
Dohdoor’s operations are expertly concealed by hiding its command-and-control servers behind Cloudflare’s infrastructure. This strategy ensures that all outbound traffic from compromised systems resembles legitimate HTTPS communications, evading traditional security detection mechanisms such as DNS-based monitoring and network traffic analysis tools. Additionally, the malware unhooks system calls to bypass endpoint detection and response (EDR) systems that typically monitor Windows API activity.
Despite the sophistication of the attack, the identity of those behind UAT-10027 remains unknown. However, there are noted technical similarities between Dohdoor and Lazarloader, a tool previously associated with the North Korean hacking group Lazarus, known for targeting South Korean entities.
Implications and Future Outlook
While UAT-10027 shares certain characteristics with North Korean APT groups, its focus on U.S. education and healthcare sectors marks a deviation from Lazarus’s usual targets, such as cryptocurrency and defense industries. This suggests a potential shift in strategy or involvement of different actors within the broader landscape of state-sponsored cyber threats.
Given the threat’s complexity and potential impact, organizations in the affected sectors are advised to enhance their cybersecurity measures, particularly focusing on detecting and mitigating phishing attempts and unusual DNS activities. As the situation evolves, continuous monitoring and adaptation of security strategies will be crucial to safeguarding sensitive data and infrastructure.
