Dohdoor Backdoor

A previously undocumented threat activity cluster has been linked to an ongoing malicious campaign targeting the education and healthcare sectors across the United States since at least December 2025. Security researchers are tracking this activity under the designation UAT-10027. The primary objective of the campaign is to deploy a newly identified backdoor known as Dohdoor.

Multiple educational institutions have already been compromised, including a university with connectivity to several affiliated institutions, suggesting a potentially expanded attack surface. A healthcare facility specializing in elderly care has also been confirmed as a victim, underscoring the sector-specific focus of the operation.

Infection Chain and Malware Deployment

Although the precise initial access vector remains undetermined, investigators suspect the campaign begins with social engineering–based phishing tactics that ultimately trigger the execution of a malicious PowerShell script.

The infection sequence unfolds in multiple stages:

• The PowerShell script retrieves and executes a Windows batch file from a remote staging server.
• The batch file then downloads a malicious DLL file, typically named 'propsys.dll' or 'batmeter.dll.'
• The DLL, identified as Dohdoor, is executed through DLL side-loading using legitimate Windows binaries such as 'Fondue.exe,' 'mblctr.exe,' or 'ScreenClippingHost.exe.'
• Once active, the backdoor pulls a secondary payload directly into memory and executes it, assessed to be a Cobalt Strike Beacon.

This multi-layered execution chain demonstrates deliberate efforts to blend malicious components with trusted system processes to evade detection.

Covert Command-and-Control Infrastructure

Dohdoor leverages DNS-over-HTTPS (DoH) to manage Command-and-Control (C2) communications. By encrypting DNS queries within HTTPS traffic, the malware conceals its communications within seemingly legitimate encrypted web traffic.

The threat actor further obscures infrastructure by routing C2 servers through Cloudflare's network. As a result, outbound communications from compromised systems appear as standard HTTPS traffic directed toward a trusted global IP address.

This approach effectively bypasses traditional defensive mechanisms, including:

• DNS-based detection systems and DNS sinkholes
• Network monitoring tools that flag suspicious domain lookups
• Conventional traffic analysis solutions reliant on visible DNS queries

In addition to network evasion techniques, Dohdoor actively unhooks system calls in NTDLL.dll to circumvent endpoint detection and response (EDR) solutions that rely on user-mode API monitoring. This capability significantly reduces the likelihood of behavioral detection at the endpoint level.

Operational Objectives and Financial Motivation

At present, no confirmed evidence of data exfiltration has been identified. Aside from the deployment of Cobalt Strike Beacon as a follow-on payload, no additional final-stage malware has been observed.

Despite the absence of ransomware or data theft activity so far, analysts assess that the campaign is likely financially motivated. This conclusion is based on the victimology pattern and the deployment of tooling commonly associated with post-exploitation frameworks used in monetization-driven intrusions.

Attribution Analysis and North Korean Overlaps

The identity of the group behind UAT-10027 remains unknown. However, researchers have identified tactical similarities between Dohdoor and LazarLoader, a downloader previously attributed to the North Korean threat group Lazarus.

While technical overlaps with Lazarus-linked malware exist, the campaign's focus on education and healthcare diverges from Lazarus' traditional targeting of cryptocurrency platforms and defense-related entities.

Nevertheless, historical activity from North Korean advanced persistent threat (APT) actors reveals partial victimology alignment. For example, North Korean operators have deployed Maui ransomware against healthcare organizations, and the group Kimsuky has targeted educational institutions. These precedents highlight thematic overlaps with UAT-10027's targeting profile, though no definitive attribution has been established.

The combination of sophisticated evasion techniques, selective sector targeting, and infrastructure concealment positions UAT-10027 as a significant and evolving threat requiring heightened vigilance across critical service sectors.