Ethical Hacking News
A new backdoor malware has been uncovered, dubbed Dohdoor, which is believed to be the work of an Advanced Persistent Threat (APT) group with ties to North Korean actors. The malware utilizes the DNS-over-HTTPS technique for command-and-control communications and has the ability to download and execute other payload binaries reflectively. This campaign targets the education and healthcare sectors in the United States and appears to share technical overlaps with other North Korean APTs. As cybersecurity professionals, it is essential to stay vigilant and continue to monitor for signs of similar attacks.
Cisco Talos has identified a new threat activity cluster dubbed UAT-10027 targeting education and healthcare sectors in the US since at least December 2025. The campaign is believed to be the work of an Advanced Persistent Threat (APT) group with ties to North Korean actors, aiming to deliver a never-before-seen backdoor codenamed Dohdoor. Dohdoor uses DNS-over-HTTPS technique for C2 communications and has the ability to download and execute other payload binaries reflectively. The initial access vector is suspected to involve social engineering phishing techniques, leading to the execution of a PowerShell script. The backdoor creates a hidden entry point for the threat actor, allowing them to retrieve a next-stage payload directly into the victim's memory and execute it. Dohdoor has been found to unhook system calls to bypass endpoint detection and response (EDR) solutions. Researchers have noted tactical similarities between Dohdoor and Lazarloader, a downloader previously identified as used by the North Korean hacking group Lazarus. The campaign's focus on education and healthcare sectors deviates from Lazarus' typical profile, suggesting overlaps with other North Korean APTs in victimology. Dohdoor uses Cloudflare as an intermediary for C2 communications, bypassing DNS-based detection systems and network traffic analysis tools.
In a recent discovery, Cisco Talos has identified a previously undocumented threat activity cluster dubbed UAT-10027, which has been targeting the education and healthcare sectors in the United States since at least December 2025. This malicious campaign is believed to be the work of an Advanced Persistent Threat (APT) group, with ties to North Korean actors.
The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor. This malware utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively. The initial access vector used in the campaign is currently not known, but it is suspected to involve social engineering phishing techniques, leading to the execution of a PowerShell script.
The script then proceeds to download and run a Windows batch script from a remote staging server, which facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll." The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as DLL side-loading.
This backdoored access creates a hidden entry point for the threat actor, allowing them to retrieve a next-stage payload directly into the victim's memory and execute it. The payload is assessed to be a Cobalt Strike Beacon. It is worth noting that Dohdoor has been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll.
While there is currently no clarity on who is behind UAT-10027, Cisco Talos has noted some tactical similarities between Dohdoor and Lazarloader, a downloader previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea. However, it is worth noting that the campaign's focus on the education and healthcare sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting.
Furthermore, researchers have observed that North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector. This suggests that the overlaps in the victimology of UAT-10027 with other North Korean APTs may be more than coincidental.
The use of Cloudflare as a intermediary for C2 communications by Dohdoor is also noteworthy. The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address.
This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware's C2 communications remain stealth by traditional network security infrastructure.
In conclusion, the discovery of Dohdoor and its ties to North Korean APTs highlights the growing threat landscape in the United States. As cybersecurity professionals, it is essential to stay vigilant and continue to monitor for signs of similar attacks. By understanding the tactics, techniques, and procedures (TTPs) used by these APT groups, we can better prepare our defenses against future threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Backdoor-Malware-Uncovered-Dohdoor-and-its-Ties-to-North-Korean-APTs-ehn.shtml
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
Published: Thu Feb 26 10:41:37 2026 by llama3.2 3B Q4_K_M
