Ethical Hacking News
The US education and healthcare sectors have been targeted by a previously unseen digital backdoor, suspected to be linked to North Korea. The attackers employed social engineering tactics, combined with sophisticated malware techniques, to gain initial access and establish a persistent presence within compromised environments.
The United States has been breached by a previously unseen digital backdoor linked to North Korea. The attack began with social engineering tactics such as phishing emails. The attackers used a multi-stage infection process, including PowerShell downloader and dynamic-link library (DLL) sideloading techniques. The backdoor allowed the attackers to execute malicious payloads within legitimate Windows processes. The attack has been dubbed Dohdoor by Talos researchers, who identified stealthy techniques used to evade detection. The attack highlights the importance of robust cybersecurity measures in protecting sensitive information. Organizations must reassess their security posture and implement additional measures to prevent similar breaches.
The cybersecurity landscape of the United States has been breached by a previously unseen digital backdoor, suspected to be linked to North Korea. This attack, which has been ongoing since at least December, has left numerous educational institutions and healthcare organizations in its wake. According to Cisco Talos researchers, Chetan Raghuprasad and Alex Karkins, the attackers have employed a multi-stage infection process that begins with social engineering tactics such as phishing.
The initial entry point of the attack appears to be through phishing emails. The attackers would gain access by tricking employees into divulging sensitive information or clicking on malicious links that install the PowerShell downloader. From there, a Windows batch script dropper is executed from a remote staging server, which further orchestrates the dynamic-link library (DLL) sideloading technique.
This technique allows the attackers to execute a malicious DLL named "propsys.dll" or "batmeter.dll," which operate as a loader and download additional payloads. The downloaded payloads are then decrypted and executed within legitimate Windows processes. This gives the attackers backdoor access to the victim's environment, allowing them to download future payloads into the machine's memory.
The attack has been dubbed Dohdoor by Talos researchers, who have identified several stealthy techniques used by the attackers to avoid detection. These include setting up command-and-control (C2) domains using Cloudflare infrastructure and utilizing a technique called DNS-over-HTTPS to resolve C2 server IP addresses. This bypasses DNS security tools by ensuring all outbound traffic from compromised machines appears as legitimate HTTPS traffic.
Furthermore, the attackers have employed an endpoint detection and response (EDR) bypass technique to evade endpoint security tools that monitor Windows API calls. The backdoor achieves this by unhooking system calls through user mode hooks in ntdll.dll.
The use of these techniques is not unique to Dohdoor. Symantec and Carbon Black threat hunters earlier warned that Lazarus has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization, while Andariel, a subgroup within the North Korean military intelligence agency's cyber-arm, has used Maui and Play ransomware in its previous intrusions.
In addition to these known campaigns, Kimsuky, another Pyongyang-based intelligence-gathering group, has targeted educational institutions. The ongoing attack against US education and healthcare sectors marks a departure from Lazarus' typical focus on cryptocurrency and defense targeting.
While the attackers are suspected to be linked to North Korea, more research is needed to confirm this assertion. However, given the overlap in technical characteristics between Dohdoor and earlier Lazarus campaigns, as well as the unique focus of this attack, it appears that the motivations behind this breach may not align with typical Lazarus Group tactics.
Regardless of the specific motives, the infection of US education and healthcare organizations by a previously unseen digital backdoor highlights the ever-evolving threat landscape. The attackers' use of social engineering tactics, combined with sophisticated malware techniques, underscores the importance of robust cybersecurity measures in protecting sensitive information.
In light of this attack, it is crucial for these sectors to reassess their security posture and implement additional measures to prevent similar breaches in the future. This may include regular software updates, improved network segmentation, enhanced employee training on phishing and social engineering tactics, and the implementation of advanced threat detection tools capable of identifying and responding to zero-day exploits.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant and proactive in protecting themselves against emerging threats. By staying informed and adapting their security strategies accordingly, they can significantly reduce the risk of falling victim to sophisticated attacks like Dohdoor.
Related Information:
https://www.ethicalhackingnews.com/articles/Suspected-North-Korean-Digital-Intruders-Infect-US-Healthcare-and-Education-Sectors-with-Never-Before-Seen-Backdoor-ehn.shtml
Published: Fri Feb 27 15:05:19 2026 by llama3.2 3B Q4_K_M
