Using a sophisticated multi-stage intrusion technique to establish covert persistence, the threat cluster UAT-10027 has been targeting healthcare and education institutions in the United States since December 2025. The campaign leverages a newly observed backdoor named Dohdoor, which conceals command-and-control (C2) communications by abusing trusted infrastructure such as Cloudflare and DNS-over-HTTPS (DoH).
The malware is typically delivered through suspected phishing activity and executed using PowerShell in combination with DLL side-loading techniques. Once active, the threat deploys Cobalt Strike beacons directly in memory while employing endpoint detection and response (EDR) evasion techniques to maintain persistence. This activity presents significant operational and security risks and highlights the growing importance of monitoring encrypted traffic patterns and anomalous endpoint behaviour.
UAT-10027 initiates the infection chain through a suspected phishing vector that triggers the execution of a PowerShell script, which subsequently downloads a secondary batch file from a remote staging server. This batch file retrieves a malicious DLL payload, typically named propsys.dll or batmeter.dll.
The payload, referred to as Dohdoor, is executed through DLL side-loading using legitimate Windows binaries such as Fondue.exe, mblctr.exe, or ScreenClippingHost.exe, allowing the malware to blend into legitimate system activity and evade security monitoring.
To maintain covert communications, Dohdoor establishes command-and-control channels using DNS-over-HTTPS, routing encrypted traffic through Cloudflare-proxied infrastructure to bypass conventional DNS monitoring and network detection mechanisms. The malware incorporates defense evasion mechanisms such as NTDLL unhooking, allowing it to bypass user-mode EDR monitoring. Additionally, it supports reflective loading of additional payloads, including Cobalt Strike Beacons, directly into memory. The details and technicalities of the attack campaign are discussed further.
Although definitive evidence of the initial access vector is limited, analysis indicates that phishing-based social engineering is the most likely entry point. The infection process is believed to begin when victims are manipulated into executing a malicious PowerShell script.
The script retrieves a secondary Windows batch file from a remote staging infrastructure, which subsequently downloads the malicious DLL payload (propsys.dll or batmeter.dll) onto the compromised host. The Infection chain was identified as follows
By leveraging DNS-over-HTTPS (DoH) to encrypt command-and-control communications, Dohdoor enables outbound traffic to appear as legitimate HTTPS traffic, allowing it to evade detection by traditional DNS inspection mechanisms and network monitoring solutions. Routing communications through Cloudflare-proxied infrastructure further obscures the true location of command servers and reduces the likelihood of domain blocking or sinkholing.
The backdoor also supports reflective DLL loading, enabling it to retrieve and execute additional payloads entirely in memory without writing files to disk. This capability significantly reduces forensic artifacts and minimizes opportunities for signature-based detection.
In addition to covert communications, Dohdoor incorporates sophisticated defense-evasion mechanisms. By unhooking NTDLL system calls, the malware bypasses user-mode API monitoring commonly implemented by endpoint detection and response platforms, thereby reducing behavioral visibility on compromised systems. The deployment of Cobalt Strike Beacon as a secondary payload enables extensive post-exploitation functionality, including persistence, lateral movement, credential harvesting, and remote command execution. Collectively, these capabilities indicate a mature intrusion toolkit designed for stealth, persistence, and operational resilience in targeted environments.
Although no definitive attribution has been established, researchers have identified tactical similarities between the Dohdoor toolkit and malware historically associated with the Lazarus Group. However, the victim profile observed in this campaign differs from Lazarus’ typical targeting priorities.
At the same time, targeting patterns partially overlap with activity previously attributed to Kimsuky, particularly in the education sector. While confirmation remains pending, these overlaps may indicate shared tooling, code reuse, or evolving tradecraft among North Korean-aligned threat actors.
The campaign, active since at least December 2025, primarily targets organizations in the United States, particularly within the healthcare and education sectors. Confirmed victims include universities connected to broader academic networks and healthcare institutions providing senior care services.
The interconnected nature of educational and healthcare ecosystems raises concerns about potential downstream compromises, as breaches within a single institution may expose affiliated networks and partner organizations.
UAT-10027 represents a sophisticated multi-stage intrusion campaign leveraging memory-resident payload execution, encrypted DNS communication channels, trusted cloud infrastructure, and advanced endpoint evasion techniques to maintain stealthy and persistent access.
The campaign’s focus on healthcare and education institutions suggests both strategic intelligence interests and potential financial motivations. Organizations should prioritize enhanced monitoring of DNS-over-HTTPS traffic, PowerShell activity, DLL side-loading behavior, and abnormal endpoint activity to mitigate exposure to this evolving threat landscape.
Although no confirmed data exfiltration has yet been reported, the presence of persistent backdoor access combined with Cobalt Strike deployment indicates significant operational risk. Long-term access could enable attackers to conduct reconnaissance, credential harvesting, lateral movement, ransomware deployment, or data theft.
The targeted sectors hold highly sensitive information, including research data, healthcare records, and personal data, increasing the potential impact of compromise. The operational dependencies and interconnected nature of these sectors further amplify the potential damage from prolonged attacker presence.
https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
