Listen to this Post

The cybersecurity landscape rarely stands still, but every so often a new campaign emerges that signals a deliberate evolution in attacker tradecraft. Cisco Talos has uncovered such a case. A previously unknown threat cluster, identified as UAT-10027, has been targeting organizations in the United States education and healthcare sectors since at least December 2025. At the center of this campaign is a newly observed backdoor dubbed Dohdoor, engineered for stealth, persistence, and deep operational control.
Unlike opportunistic malware outbreaks, this campaign reflects careful staging and technical discipline. From phishing-based entry points to in-memory payload deployment, UAT-10027 demonstrates a mature understanding of endpoint detection evasion, forensic cleanup, and covert command-and-control communications. Even more intriguing, Cisco Talos notes technical overlaps with tactics historically associated with the Lazarus Group, though the attribution remains cautious and low confidence.
The attack chain appears to begin with phishing emails designed to trigger a malicious PowerShell execution. Once executed, the PowerShell command uses curl alongside an encoded URL to retrieve a malicious batch file, either in .bat or .cmd format. This file acts as a loader, quietly preparing the environment for deeper compromise. It creates hidden directories within ProgramData or Public folders, locations often overlooked during casual system inspection.
From there, a disguised malicious DLL, named Dohdoor, is downloaded and executed via DLL sideloading. By abusing legitimate Windows executables, attackers avoid raising alarms that typically accompany direct malware execution. The technique blends malicious activity with trusted system processes, complicating detection efforts.
Before exiting, the batch script performs anti-forensic steps. It clears Run dialog history, wipes clipboard data, and deletes itself, reducing the evidence footprint left behind. This deliberate cleanup suggests a strong operational awareness and an intent to avoid quick incident response containment.
Dohdoor itself is a 64-bit DLL loader compiled in November 2025. Its role is to fetch, decrypt, and execute additional payloads inside legitimate Windows processes. Rather than relying on static imports, it resolves Windows API calls dynamically through hash-based lookups. This technique obscures functionality from static analysis tools and complicates reverse engineering.
The backdoor extracts command-line arguments from the sideloaded executable, pulling out the command-and-control URL and payload path. It then initiates DNS-over-HTTPS communication, specifically querying Cloudflare infrastructure over port 443. By embedding malicious traffic within legitimate encrypted HTTPS sessions, Dohdoor hides in plain sight. Traditional network monitoring systems often treat DoH traffic as benign, making this channel particularly effective.
After resolving the C2 server’s IP address through crafted JSON parsing, the malware retrieves an encrypted payload via HTTPS GET requests designed to mimic normal curl activity. The payload is protected using a custom XOR-SUB decryption algorithm. Notably, the encrypted data maintains a 4:1 expansion ratio, meaning it appears significantly larger than the decrypted form. This distortion complicates pattern-based detection mechanisms.
The decryption routine employs SIMD vectorized operations to process 16-byte blocks efficiently, then switches to a simpler loop for remaining bytes. This dual-mode approach balances performance with flexibility. Such optimization is rarely seen in commodity malware and suggests deliberate engineering.
Once decrypted, the payload is injected into suspended Windows processes such as OpenWith.exe or wksprt.exe through process hollowing. The legitimate process is launched in a suspended state, its memory replaced with malicious code, and then resumed. To observers, the process appears authentic while executing attacker instructions internally.
To further evade Endpoint Detection and Response systems, Dohdoor inspects ntdll.dll to identify user-mode hooks, particularly around NtProtectVirtualMemory. If hooks are detected, the malware patches the syscall stub to create a direct syscall trampoline. By modifying specific byte patterns in memory, it bypasses user-mode monitoring hooks and communicates directly with the Windows kernel. This tactic neutralizes a common defensive layer deployed by modern EDR solutions.
Telemetry strongly indicates that a Cobalt Strike Beacon was deployed as a secondary payload. Cobalt Strike, widely abused in advanced persistent threat operations, enables lateral movement, credential harvesting, and long-term persistence.
Cisco Talos assesses with low confidence that UAT-10027 may be linked to North Korean threat actors. Dohdoor shares traits with Lazarloader, including the use of a custom XOR-SUB routine incorporating the 0x26 constant and NTDLL unhooking mechanisms. The campaign also employs DNS-over-HTTPS through Cloudflare, DLL sideloading, process hollowing, and the use of mixed-case top-level domains such as .design, .software, and .online. These tradecraft patterns have appeared in past operations attributed to the Lazarus Group.
Yet the targeting profile introduces complexity. Lazarus has historically prioritized cryptocurrency platforms and defense-related industries. In this campaign, however, education and healthcare institutions are primary victims. That divergence does not eliminate a North Korean connection, as past incidents such as Maui ransomware attacks against healthcare and Kimsuky operations against academia demonstrate overlapping interests within North Korean APT ecosystems.
What makes UAT-10027 notable is not just its technical overlap with established groups, but the careful adaptation of known techniques into a refined and stealth-driven framework. The campaign reveals a threat actor comfortable with living-off-the-land binaries, encrypted DNS communication, memory injection, and direct syscall manipulation. Each step reduces visibility. Each stage compounds resilience.
What Undercode Say:
The emergence of UAT-10027 signals something more strategic than a single malware family. This campaign reflects a structural shift in how advanced threat actors approach persistence and stealth inside sensitive civilian sectors. Education and healthcare institutions often operate with limited cybersecurity budgets compared to financial or defense industries, yet they store valuable research data, personal records, and intellectual property. Targeting them provides high intelligence value with comparatively softer defenses.
The use of DNS-over-HTTPS through Cloudflare infrastructure is particularly telling. Attackers are deliberately hiding behind trusted cloud services, exploiting the industry’s own push toward encrypted privacy-centric DNS. As more organizations adopt encrypted DNS for legitimate security reasons, malicious actors gain a larger shield of normalcy. Network defenders face the paradox of choosing between privacy and inspection.
Dohdoor’s hash-based API resolution and dynamic syscall patching demonstrate that the operators anticipate memory scanning and behavioral analysis. This is not smash-and-grab malware. It is designed to coexist with enterprise security stacks. The direct syscall trampoline effectively sidesteps one of the most common EDR inspection layers. That move alone places the malware in a higher sophistication tier.
The custom XOR-SUB encryption routine, combined with the unusual 4:1 payload expansion ratio, suggests a deliberate attempt to avoid signature-based detection. By inflating encrypted payload size and employing SIMD-accelerated decryption, the developers are prioritizing both stealth and execution efficiency. That balance reflects disciplined development practices.
Attribution remains uncertain, but operational overlaps with Lazarus-associated tooling cannot be ignored. However, analysts must resist the temptation to over-attribute based solely on shared techniques. Sophisticated threat groups often borrow from one another, and leaked tools circulate in underground markets. The deviation in target sectors complicates a clean attribution narrative.
From a defensive standpoint, this campaign underscores the need for deeper inspection of encrypted traffic, memory-level behavioral analysis, and monitoring for anomalous process hollowing patterns. Organizations must also treat phishing resilience as a frontline control. The entire chain begins with a single user interaction.
UAT-10027 demonstrates that attackers no longer rely on brute force. They rely on invisibility. They adapt to enterprise defenses rather than confronting them directly. In many ways, this is the future of advanced persistent threats: quiet, encrypted, memory-resident, and strategically selective.
If this campaign continues to evolve, defenders may see broader sector expansion or refinement in the loader architecture. The modular design suggests that Dohdoor could serve as a reusable framework for multiple operations. The infrastructure choice hints at scalability. The stealth engineering hints at long-term persistence goals rather than short-lived attacks.
Fact Checker Results
✅ Cisco Talos identified UAT-10027 and the Dohdoor backdoor targeting U.S. education and healthcare sectors.
✅ Dohdoor uses DNS-over-HTTPS via Cloudflare, process hollowing, and syscall patching for EDR evasion.
❌ Attribution to North Korea remains unconfirmed and assessed with low confidence.
Prediction
🔮 Encrypted DNS channels will become a dominant C2 method for advanced threat actors in 2026.
📈 Education and healthcare institutions will face increased memory-resident malware campaigns.
⚠️ Direct syscall patching techniques will likely spread beyond nation-state groups into organized cybercrime ecosystems.
▶️ Related Video (78% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




