UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
Source: The Hacker News
Overview
- Campaign name: UAT‑10027
- Target sectors: U.S. education and healthcare
- Primary payload: Dohdoor – a DNS‑over‑HTTPS (DoH) backdoor capable of reflective DLL loading and downloading additional payloads.
- First observed: December 2025
Security researchers Alex Karkins and Chetan Raghuprasad described Dohdoor as using DoH for command‑and‑control (C2) communications and being able to download and execute other binaries reflectively (source).
Image: Healthcare cyber‑attack
Delivery and Execution
The initial access vector has not been definitively identified, but social‑engineering phishing techniques are suspected. The typical flow includes:
- Phishing email delivering a malicious PowerShell script.
- The PowerShell script downloads and runs a Windows batch file from a remote staging server.
- The batch file retrieves a malicious Windows DLL named
propsys.dllorbatmeter.dll.
The DLL payload (Dohdoor) is launched via DLL side‑loading using legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe (MITRE ATT&CK).
Image: Gartner diagram
Payload and C2
- Backdoor functionality: Provides persistent access and can retrieve a next‑stage payload directly into memory.
- Observed second‑stage payload: A Cobalt Strike Beacon.
- C2 infrastructure: Hosted behind Cloudflare, making outbound traffic appear as legitimate HTTPS to trusted global IP addresses (source).
The use of DoH allows Dohdoor to bypass DNS‑based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups.
Image: C2 chain illustration
Evasion Techniques
- System‑call unhooking: Dohdoor unhooks system calls to evade endpoint detection and response (EDR) solutions that monitor Windows API calls via user‑mode hooks in
NTDLL.dll(reference). - DLL side‑loading: Executes malicious code under the guise of trusted executables.
Attribution and Related Threats
Cisco Talos has not identified a specific threat actor, but notes tactical similarities between Dohdoor and Lazarloader, a downloader previously linked to the North Korean Lazarus Group (source).
While Lazarus typically targets cryptocurrency and defense sectors, UAT‑10027’s focus on education and healthcare aligns with other North Korean APT activities:
- Maui ransomware – used against healthcare organizations (source).
- Kimsuky – known for targeting the education sector (source).
These overlaps suggest possible influence or shared tooling among North Korean threat groups, though definitive attribution remains uncertain.