Full Report
Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”
Analysis Summary
# Threat Actor: UAT-10027
## Attribution & Identity
**Actor Identification:** UAT-10027.
**Known Aliases/Associated Groups:** The threat actor's malware, Dohdoor, exhibits strong technical overlap with tools used by the North Korean APT group Lazarus, specifically noted similarities in custom XOR-SUB decryption techniques (using 0x26 constant) and NTDLL unhooking capabilities (similar to older Lazarloader variants). However, the specific victimology observed deviates from Lazarus’ typical focus.
## Activity Summary
UAT-10027 has been engaged in an ongoing malicious campaign discovered in at least December 2025. The campaign delivers a previously undisclosed backdoor named "Dohdoor" through a multi-stage attack chain, likely initiated via social engineering/phishing. The actor targets victims in the United States within the education and health care sectors.
## Tactics, Techniques & Procedures
- **Initial Access:** Likely achieved through social engineering phishing techniques leading to the execution of a PowerShell script.
- **Execution & Staging:** PowerShell script downloads and runs a Windows batch script from a remote staging server.
- **Payload Delivery & Execution (DLL Sideloading):** The batch script downloads a malicious DLL (Dohdoor), masquerading as legitimate system files (e.g., "propsys.dll" or "batmeter.dll"), and executes it by sideloading it into legitimate Windows executables (e.g., "Fondue.exe", "mblctr.exe", "ScreenClippingHost.exe").
- **C2 Communication & Evasion:** Uses DNS-over-HTTPS (DoH) primarily leveraging Cloudflare's DNS service to resolve C2 domains, establishing an HTTPS tunnel to the Cloudflare edge network as a communications front.
- **Lateral Movement/Secondary Payloads:** Once established, Dohdoor can download and reflectively execute next-stage payloads (like Cobalt Strike Beacon) directly into the memory of legitimate Windows processes (e.g., ImagingDevices.exe), potentially using process hollowing.
- **Evasion/Obfuscation:** Misuses Living-Off-The-Land Binaries (LOLBins). Evades detection by hiding C2 behind Cloudflare, using string randomization (irregular capitalization) on non-traditional TLDs (.OnLiNe, .DeSigN, .SoFTWARe), and using subdomain names mimicking legitimate software updates.
- **Anti-Forensics:** The batch dropper component deletes the Run command history (RunMRU registry key), clears the clipboard, and deletes itself.
- **Code Similarities:** Utilizes custom XOR-SUB with position-dependent decryption and NTDLL unhooking techniques (shared with Lazarloader).
- **MITRE ATT&CK IDs (Inferred from description):** T1566 (Phishing), T1059.001 (PowerShell), T1574.001 (DLL Side-Loading), T1071.004 (C2 via DNS/DoH), T1027 (Obfuscation), T1055 (Process Injection/Hollowing).
## Targeting
**Sectors:** Education and Health Care.
**Geography:** Predominantly the United States.
**Victims:** Specific organizations were not named in the summary provided, only the targeted sectors.
## Tools & Infrastructure
**Malware Families Used:** Dohdoor (previously undisclosed backdoor/loader).
**Infrastructure:**
- C2 Infrastructure is hidden behind reputable cloud services, specifically Cloudflare.
- Observed seemingly legitimate processes used for sideloading (Fondue.exe, mblctr.exe, ScreenClippingHost.exe).
- Observed secondary payload execution via legitimate binaries like ImagingDevices.exe.
- **Observed C2 Subdomains/Domains:** Subdomains like “MswInSofTUpDloAd” and “DEEPinSPeCTioNsyStEM”.
- **Observed TLDs:** .OnLiNe, .DeSigN, and .SoFTWARe.
## Implications
UAT-10027 demonstrates advanced tradecraft centered on stealthy C2 communications (DoH via Cloudflare) and evasion techniques (DLL sideloading, LOLBin misuse, and reflective payload execution). While they share technical DNA with Lazarus, their current focus on critical infrastructure sectors (Education/Healthcare) suggests high-impact disruptive or espionage objectives rather than solely financial gain often associated with Lazarus operations. The deviation in victimology aligns more closely with campaigns observed from other North Korean activity against these sectors.
## Mitigations
- Monitor and inspect DNS queries, paying attention to DNS-over-HTTPS (DoH) usage directed toward known DoH resolvers or unusual endpoints.
- Implement strict application allow-listing or control mechanisms to prevent the sideloading of untrusted DLLs by legitimate executables, especially from non-standard directories like C:\ProgramData or C:\Users\Public.
- Enhance EDR/XDR capabilities to detect unusual process injection or memory manipulation, particularly targeting NTDLL unhooking or reflective loading into processes like ImagingDevices.exe.
- Scrutinize email filtering for highly obfuscated PowerShell or batch scripts delivered via seemingly benign attachments or links.
- Block traffic to newly registered domains utilizing non-traditional TLDs (.online, .design, .software) exhibiting irregular casing patterns.