A previously unknown threat activity cluster has been attributed to an ongoing malicious campaign targeting the education and healthcare sectors in the US since at least December 2025.
The campaign is being tracked by Cisco Talos under the alias UAT-10027. The ultimate goal of the attacks is to deliver the never-before-seen codename Dohdur.
“DohDoR uses DNS-over-HTTPS (DoH) technology for command-and-control (C2) communications and has the ability to reflexively download and execute other payload binaries,” security researchers Alex Carkins and Chetan Raghuprasad said in a technical report shared with The Hacker News.
Although the initial access vector used in the campaign is not currently known, it is suspected to involve the use of social engineering phishing techniques, which led to the execution of a Powershell script.
The script then proceeds to download and run a Windows batch script from the remote staging server, which, for its part, facilitates the downloading of a malicious Windows dynamic-link library (DLL) named “propsys.dll” or “batmeter.dll”.
The DLL payload – i.e., Dohdoor – is launched via a legitimate Windows executable (for example, “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a technique called DLL side-loading. The backdoor access created by the implant is used to retrieve the payload of the next stage directly into the victim’s memory and execute it. The payload is speculated to be a cobalt strike beacon.
“The threat actor hides C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communications from the victim machine appear as legitimate HTTPS traffic to a trusted global IP address,” Talos said.
“This technology bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain undetected by traditional network security infrastructure.”
Dohdoor has also been found to be able to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls via a user-mode hook in NTDLL.dll.
Raghuprasad told The Hacker News that, “The attacker infected multiple educational institutions, including a university that is connected to several other institutions, indicating a potentially wide attack surface. Additionally, one of the affected entities was a health care facility, specifically for elder care.”
Analysis of the campaign has revealed no evidence of data intrusion to date. Although no final payload has been observed other than a cobalt strike beacon from a backdoor in the victim’s environment, it is believed that UAT-10027’s activities are likely driven by financial giants based on victim patterns, the researcher said.
There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and LazarusLoader, a downloader previously used in attacks on South Korea by the North Korean hacking group Lazarus.
Talos concluded, “While UAT-10027’s malware shares technical overlap with the Lazarus group, the campaign’s focus on the education and health care sectors distracts from Lazarus’ specific profile of cryptocurrency and defense targeting.”
“However, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuki, has targeted the education sector, highlighting the overlap in UAT-10027’s victimology with other North Korean APTs.
