A set of previously undocumented threats are said to have been created by an ongoing malicious campaign targeting the education and healthcare sectors in the US from at least December 2025.
This campaign is being followed by Cisco Talos under the moniker UAT-10027. The ultimate goal of the attack is to deliver a never-before-seen backdoor coded as Dohdoor.
“Dohdoor uses a DNS-over-HTTPS (DoH) method to communicate with Command-control (C2) and has the ability to download and execute other payload binaries,” said security researchers Alex Karkins and Chetan Raghuprasad in a technical report shared with Hacker News.
While the initial access vector used in the campaign is currently unknown, it is suspected to involve the use of public engineering hacking techniques, leading to the execution of a PowerShell script.
The script then proceeds to download and execute a Windows cluster script from the remote staging server, which, in turn, facilitates the download of a malicious Windows dynamic-link library (DLL) called “propsys.dll” or “batmeter.dll.”
The DLL payload – that is, Dohdoor – is launched through the Windows operating system (eg, “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a method called DLL side-loading. The back access created by the implant is used to retrieve the next phase load directly from the victim’s memory and execute it. The payload is tested as a Cobalt Strike Beacon.
“The threat actor hides C2’s servers behind Cloudflare’s infrastructure, ensuring that all communications from the victim’s machine appear as legitimate HTTPS traffic to a trusted global IP address,” Talos said.
“This strategy bypasses DNS-based detection systems, DNS sinks, and network traffic analysis tools that monitor suspicious domain surveillance, ensuring that C2 malware’s communications remain hidden from traditional network security infrastructure.”
Dohdoor was also found to remove system calls to bypass endpoint detection and response (EDR) that monitors Windows API calls through user-mode hooks in NTDLL.dll.
Raghuprasad told Hacker News that, “the attacker infected several educational institutions, including a university affiliated with several other institutions, indicating the possibility of a widespread attack. Additionally, one of the affected organizations was a health center, which specializes in elderly care.”
Analysis of the campaign has not revealed evidence of data leakage to date. Although no final payload has been observed other than what appears to be a Cobalt Strike Beacon returning to the victim’s location, it is believed that the actions of UAT-10027 are likely driven by financial giants based on the pattern of victimology, the researcher said.
It is not yet clear who is behind UAT-10027, but Cisco Talos said it found some similarities between Dohdoor and LazarLoader, a downloader identified as being used by the North Korean hacker group Lazarus in attacks targeting South Korea.
“Although the UAT-10027 malware shares technical overlap with the Lazarus group, the campaign’s focus on the education and healthcare sectors deviates from Lazarus’ traditional cryptocurrency targeting and protection profile,” Talos concluded.
“However, […] North Korean APT players targeted the healthcare sector with the Maui ransomware, while another North Korean APT group, Kimsuky, targeted the education sector, highlighting the overlap between UAT-10027 and other North Korean APTs. “
