Full Report
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025. The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor. "Dohdoor utilizes the DNS-over-HTTPS (DoH)
Analysis Summary
# Threat Actor: UAT-10027
## Attribution & Identity
* **Identification:** Previously undocumented threat activity cluster.
* **Aliases and Associated Groups:**
* Tracked by Cisco Talos as **UAT-10027**.
* Tactical similarities noted with **Lazarloader** (linked to the North Korean hacking group Lazarus Group), particularly in malware behavior.
* Victimology shows overlap with tactics used by other North Korean APTs, such as **Maui ransomware** targeting healthcare and **Kimsuky** targeting education.
* **Caveat:** Attribution is not definitive; the targeting profile (US Education/Healthcare) deviates from Lazarus Group's typical cryptocurrency/defense focus.
## Activity Summary
* **Recent Campaigns and Operations:** Ongoing malicious campaign tracked since at least December 2025.
* **Objective:** To deliver the novel backdoor, **Dohdoor**.
## Tactics, Techniques & Procedures
- **Initial Access (Suspected):** Social engineering phishing techniques leading to the execution of a PowerShell script.
- **Execution:**
- PowerShell script downloads and runs a Windows batch script from a remote staging server.
- The batch script downloads a malicious DLL (`propsys.dll` or `batmeter.dll`).
- The Dohdoor DLL is launched via **DLL side-loading** using legitimate Windows executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`). (MITRE ATT&CK ID: T1574.001)
- **Command and Control (C2):** Utilizes **DNS-over-HTTPS (DoH)** communication for C2, appearing as legitimate HTTPS traffic to trusted IPs via Cloudflare infrastructure. This bypasses DNS-based detection and network traffic analysis.
- **Defense Evasion:** Dohdoor unhooks system calls to bypass EDR solutions that monitor Windows API calls via user-mode hooks in NTDLL.dll.
- **Post-Exploitation:** The implant retrieves a next-stage payload (assessed to be a **Cobalt Strike Beacon**) directly into victim memory for execution.
## Targeting
- **Sectors:** Education and Healthcare.
- **Geography:** United States (U.S.).
- **Victims:** Specific organizations are not named in the summary, but the sectors are clearly defined.
## Tools & Infrastructure
- **Malware Families Used:**
- **Dohdoor:** A never-before-seen backdoor utilized for C2 and payload delivery.
- **Cobalt Strike Beacon:** Used as a suspected next-stage payload.
- **Infrastructure (C2, domains, IPs):**
- C2 servers are hidden behind **Cloudflare infrastructure**.
- Remote staging servers are used to host the initial batch script and DLLs.
## Implications
The use of DoH for C2 combined with DLL side-loading and system call unhooking indicates a sophisticated adversary focused on stealth and deep persistence within critical U.S. sectors. The use of Cloudflare infrastructure provides significant obfuscation against traditional network security monitoring tools. The actor's potential links to North Korean threat groups, despite current targeting shifts, warrants high priority analysis.
## Mitigations
- **Network Visibility:** Implement deep packet inspection or full-session recording to analyze encrypted traffic, specifically looking for anomalous DoH requests or traffic patterns inconsistent with standard browser behavior, even when routed through Cloudflare.
- **Endpoint Security:** Deploy EDR solutions capable of monitoring and alerting on API call hooking/unhooking activities within `NTDLL.dll` or process memory manipulation.
- **Execution Control:** Implement strict controls over DLL loading (e.g., application control, strong signature validation) to mitigate DLL side-loading risks.
- **Initial Access:** Enhance user training focused on identifying social engineering and phishing to prevent the initial execution of PowerShell scripts.