Key Findings

• Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor.

• Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading.

• The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections, allowing attackers to deploy additional payloads, such as Cobalt Strike, directly into memory while evading security detection and maintaining persistent access.

• Dohdoor uses custom XOR-SUB decryption and unhooks system calls to bypass endpoint detection and response (EDR) solutions.

• Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.

• Talos assesses with low confidence that UAT-10027 links to North Korea due to overlaps with the Lazarus Group, but the campaign's focus on the education and healthcare sectors deviates from Lazarus' typical profile.

Background

The previously undocumented threat activity cluster, tracked as UAT-10027 by Cisco Talos, has been targeting the U.S. education and healthcare sectors since at least December 2025. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.

Initial Access and Delivery

The initial access vector used in the campaign is currently not known, but it's suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script. The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."

Dohdoor Backdoor

The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as DLL side-loading. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim's memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.

Command and Control

The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address. This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware's C2 communications remain stealthy by traditional network security infrastructure.

Evasion Techniques

Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll. It locates ntdll.dll, checks NtProtectVirtualMemory for user-mode hooks, and patches the syscall stub to create a direct syscall trampoline, effectively bypassing any EDR monitoring.

Victimology and Attribution

Analysis of the campaign has revealed no evidence of data exfiltration to date. Although no final payloads have been observed other than what appears to be the Cobalt Strike Beacon to backdoor into the victim's environment, it's believed that UAT-10027's actions are likely driven by financial motives based on the victimology pattern.

Talos found some tactical similarities between Dohdoor and LazarLoader, a downloader previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea. However, the campaign's focus on the education and healthcare sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting. Nonetheless, Talos noted that North Korean APT actors have targeted the healthcare sector using Maui ransomware and the education sector using other methods, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.

Sources

• https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html

• https://securityaffairs.com/188558/apt/uat-10027-campaign-hits-u-s-education-and-healthcare-with-stealthy-dohdoor-backdoor.html

• https://blog.talosintelligence.com/new-dohdoor-malware-campaign/