- A new cyber-espionage campaign, UAT-10027, is actively targeting U.S. education and healthcare organizations.
- The attackers deploy a previously unseen backdoor called Dohdoor, which uses DNS-over-HTTPS (DoH) to hide its communications.
- While some technical overlaps with the North Korean Lazarus Group exist, the victim profile represents a potential shift in tactics.
A previously undocumented threat actor group has been deploying a new backdoor against the U.S. education and healthcare sectors since at least December 2025. Cisco Talos researchers track this activity cluster as UAT-10027, with a final payload named Dohdoor.
This novel malware utilizes DNS-over-HTTPS (DoH) for command-and-control, effectively disguising its traffic as legitimate web activity. Consequently, the backdoor can bypass traditional DNS-based security tools while downloading and executing further malicious code directly into a victim’s memory.
The initial infection chain likely begins with a phishing email that executes a PowerShell script. That script subsequently downloads a batch file from a remote server, leading to the final malicious DLL payload.
Attackers then use a legitimate Windows executable to load the Dohdoor DLL via DLL side-loading techniques. The infected system connects to command servers hidden behind the Cloudflare infrastructure for stealth.
Dohdoor also employs advanced evasion tactics, such as unhooking system calls to bypass endpoint detection. Meanwhile, analysts noted tactical similarities between Dohdoor and the Lazarloader downloader previously linked to the North Korean Lazarus Group.
However, UAT-10027’s focus on healthcare and education deviates from Lazarus’s typical cryptocurrency or defense targets. North Korean groups like Kimsuky have previously targeted the education sector, however, highlighting a possible overlap in victimology.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
