A previously undocumented cyber threat activity cluster, identified as UAT-10027, has been linked to ongoing attacks targeting education and healthcare sectors in the United States since at least December 2025. Security researchers from Cisco Talos have attributed the campaign to a sophisticated backdoor, codenamed Dohdoor, designed to maintain persistent access to compromised systems while avoiding traditional detection mechanisms. The campaign’s initial infection vectors remain unconfirmed, though social engineering through phishing campaigns is suspected to be a key method for delivering malicious scripts that trigger further stages of the attack.
Dohdoor relies on DNS-over-HTTPS technology for its command-and-control communications, a technique that allows it to blend C2 traffic with legitimate HTTPS requests to trusted global IP addresses, effectively evading DNS-based detection and network monitoring systems. After initial access, a PowerShell script executes to download a Windows batch file from a remote server, which then facilitates the deployment of a malicious DLL, named either “propsys.dll” or “batmeter.dll.” The DLL is executed via legitimate Windows executables using DLL side-loading, enabling the malware to load additional payloads, such as a Cobalt Strike Beacon, directly into memory without triggering typical security alerts. Researchers note that Dohdoor also unhooks system calls to bypass endpoint detection and response solutions that rely on monitoring Windows API calls, further enhancing its stealth capabilities.
Analysis of affected systems revealed infections in multiple educational institutions, including one university network linked to several other institutions, as well as a healthcare facility focused on elderly care. Despite the widespread access, no evidence of data exfiltration has been observed so far. Security experts suggest that financial gain is a likely motivation behind the attacks, inferred from the pattern of targeted entities. While UAT-10027 shares some technical characteristics with LazarLoader, a known tool used by North Korean Lazarus Group actors, the campaign’s focus on education and healthcare diverges from Lazarus’ historical targeting of cryptocurrency platforms and defense organizations. Talos researchers note overlaps with previous North Korean APT activity, such as Maui ransomware campaigns in healthcare and Kimsuky targeting educational institutions, indicating potential parallels in operational methodology and victim selection.
Cisco Talos continues to monitor UAT-10027 closely and emphasizes the importance of strengthening defensive measures in the affected sectors. The campaign demonstrates how modern malware increasingly combines advanced obfuscation techniques with widely trusted infrastructure to remain undetected. Organizations in critical sectors are advised to maintain robust cybersecurity hygiene, including monitoring for unusual DNS-over-HTTPS traffic, validating executable integrity, and applying regular security updates. Awareness of phishing and social engineering techniques remains a critical line of defense, as initial compromise often leverages human behavior. Dohdoor’s deployment highlights the evolving landscape of targeted cyber campaigns and the need for coordinated threat intelligence, rapid response protocols, and proactive mitigation strategies to protect sensitive operational networks in education and healthcare.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
