Emerging Cyber Threat: UAT-10027 Deploys Dohdoor Backdoor in U.S. Education and Healthcare Sectors
A newly identified cyber threat, designated as UAT-10027 by Cisco Talos, has been actively targeting the education and healthcare sectors in the United States since at least December 2025. This campaign’s primary objective is the deployment of a novel backdoor malware named Dohdoor.
Dohdoor leverages the DNS-over-HTTPS (DoH) protocol for its command-and-control (C2) communications, enabling it to download and execute additional payloads directly into the system’s memory. This method enhances the malware’s stealth and effectiveness.
While the exact method of initial infiltration remains uncertain, it is suspected that the attackers employ social engineering and phishing tactics to execute a PowerShell script on the target system. This script subsequently downloads and runs a Windows batch script from a remote server, which in turn retrieves a malicious dynamic-link library (DLL) file, typically named propsys.dll or batmeter.dll.
The malicious DLL is executed using a technique known as DLL side-loading, where legitimate Windows executables such as Fondue.exe, mblctr.exe, or ScreenClippingHost.exe are exploited to load the DLL. Once active, Dohdoor establishes a backdoor, allowing the attackers to inject further payloads, notably the Cobalt Strike Beacon, directly into the system’s memory.
To evade detection, the threat actors conceal their C2 servers behind Cloudflare’s infrastructure. This strategy ensures that outbound communications from the compromised machine appear as legitimate HTTPS traffic to trusted global IP addresses, effectively bypassing DNS-based detection systems and network traffic analysis tools.
Dohdoor also employs advanced techniques to disable system call monitoring by unhooking functions in the NTDLL.dll file, thereby circumventing endpoint detection and response (EDR) solutions that rely on user-mode hooks to monitor Windows API calls.
The campaign has compromised multiple educational institutions, including a university interconnected with several other institutions, suggesting a potentially extensive attack surface. Additionally, a healthcare facility specializing in elderly care has been affected.
To date, there is no evidence of data exfiltration. The observed deployment of the Cobalt Strike Beacon indicates that the attackers are establishing persistent access within the victim’s environment. The targeting pattern suggests that UAT-10027’s activities may be financially motivated.
While the exact identity of the perpetrators remains unknown, Cisco Talos has noted tactical similarities between Dohdoor and LazarLoader, a downloader previously associated with the North Korean hacking group Lazarus in attacks against South Korea. However, the focus on the education and healthcare sectors deviates from Lazarus’ typical targets, which often include cryptocurrency and defense industries.
