{"id":43982,"date":"2026-02-27T00:35:31","date_gmt":"2026-02-26T16:35:31","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/27\/uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor\/"},"modified":"2026-02-27T00:35:31","modified_gmt":"2026-02-26T16:35:31","slug":"uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/27\/uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor\/","title":{"rendered":"UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor"},"content":{"rendered":"
\"UAT-10027<\/a><\/div>\n

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.<\/p>\n

The campaign is being tracked by Cisco Talos under the moniker UAT-10027<\/strong>. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.<\/p>\n

“Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,” security researchers Alex Karkins and Chetan Raghuprasad said<\/a> in a technical report shared with The Hacker News.<\/p>\n

Although the initial access vector used in the campaign is currently not known, it’s suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script.<\/p>\n

The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that’s named “propsys.dll” or “batmeter.dll.”<\/p>\n

The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a technique referred to as DLL side-loading<\/a>. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim’s memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.<\/p>\n

“The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,” Talos said. <\/p>\n

\"UAT-10027<\/a><\/div>\n

“This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by traditional network security infrastructure.”<\/p>\n

Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll<\/a>.<\/p>\n

There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and Lazarloader<\/a>, a downloader<\/a> previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea.<\/p>\n

“While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting,” Talos concluded.<\/p>\n

“However, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware<\/a>, and another North Korean APT group, Kimsuky<\/a>, has targeted the education sector<\/a>, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.”<\/p>\n

<\/div>\n
Found this article interesting? Follow us on Google News<\/a>, Twitter<\/a> and LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-43982","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43982"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43982\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}