Sophisticated threat actors have long exploited trusted infrastructure to mask malicious traffic, but a newly identified cluster takes that approach further by combining DNS-over-HTTPS tunneling with memory-resident payload delivery against sectors that handle sensitive personal data.
Cisco Talos is tracking the cluster under the designation UAT-10027, attributing it to an active campaign against U.S. education and healthcare organizations running at least since December 2025. The campaign delivers a previously undocumented backdoor the researchers call Dohdoor, according to the announcement.
The precise initial access method remains unconfirmed, though Talos assesses it likely involves social engineering phishing that triggers a PowerShell script. That script retrieves a Windows batch file from a remote staging server, which in turn downloads a malicious DLL — named either “propsys.dll” or “batmeter.dll”. The DLL is loaded into execution by hijacking legitimate Windows binaries including “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe” through DLL side-loading, a technique that exploits the trust Windows extends to signed executables.
How Dohdoor Evades Detection
Once active, Dohdoor uses DNS-over-HTTPS to route its command-and-control communications through Cloudflare infrastructure, making outbound traffic appear as standard HTTPS requests to a globally trusted IP range. Talos security researchers Alex Karkins and Chetan Raghuprasad note that this approach bypasses DNS sinkholes, DNS-based detection systems, and network traffic analysis tools that monitor for suspicious domain lookups. The implant also unhooks system calls within NTDLL.dll to neutralize endpoint detection and response solutions that rely on user-mode API monitoring.
Beyond establishing persistence, Dohdoor retrieves a next-stage payload directly into the victim’s memory — a technique that avoids writing files to disk. Talos assesses that payload to be a Cobalt Strike Beacon, used to maintain backdoor access inside the compromised environment. No evidence of data exfiltration has been identified to date.
Victimology and Attribution
Raghuprasad told a technical publication that infected targets include a university connected to several other institutions, suggesting a broader potential attack surface, alongside at least one elderly care facility. The researcher characterizes UAT-10027‘s likely motive as financial, based on the victimology pattern, though no final payloads confirming that assessment have been observed beyond the Cobalt Strike implant.
More Read
Attribution remains unresolved. Talos identified technical overlaps between Dohdoor and LazarLoader, a downloader previously linked to North Korea’s Lazarus Group in attacks targeting South Korea. The firm notes, however, that the campaign’s sector focus — education and healthcare — diverges from Lazarus’s documented concentration on cryptocurrency and defense targets. Talos does draw a parallel to other North Korean activity: the Kimsuky group has targeted education, and a separate North Korean actor deployed Maui ransomware against healthcare organizations, leaving the cluster’s precise origin unresolved but the contextual overlap notable.
Photo by panumas nikhomkhai on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
