Ethical Hacking News
A new threat cluster has been identified by Cisco Talos as targeting U.S. education and healthcare sectors with a stealthy Dohdoor backdoor. The attack begins with phishing emails that trigger PowerShell scripts to download malicious files, which are then sideloaded into memory using a custom XOR-SUB routine for decryption. This technique allows the attackers to evade detection and maintain persistence on compromised systems. As North Korean APT actors continue to adapt their tactics, it is essential for organizations to implement robust security measures to protect against such threats.
The UAT-10027 campaign targets US education and healthcare sectors with a sophisticated attack.The attackers use a previously unseen backdoor named Dohdoor, which is designed to be stealthy.Dohdoor uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic.The attack starts with a phishing email that downloads the malware via sideloading.The malware uses process hollowing to inject the payload into suspended Windows binaries.The attackers bypass endpoint detection and reporting (EDR) using a custom syscall trampoline.The campaign shares traits with Lazarloader and North Korean APT actors' tactics.Continuous monitoring, patch management, and robust security measures are essential to protect against such threats.
The cybersecurity landscape has witnessed an influx of sophisticated attacks in recent times, with malicious actors constantly evolving their tactics to evade detection and compromise sensitive systems. One such attack that has garnered significant attention is the UAT-10027 campaign, which has been identified by Cisco Talos as targeting U.S. education and healthcare sectors. This article will delve into the details of this attack, exploring its methods, tactics, and implications for these critical sectors.
The UAT-10027 campaign is attributed to a group of attackers who have been using a previously unseen backdoor named Dohdoor. The Dohdoor backdoor is designed to be stealthy, using DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control (C2) traffic within legitimate HTTPS connections. This allows the attackers to deploy additional payloads, such as Cobalt Strike, directly into memory while evading security detection and maintaining persistent access.
The attack begins with a phishing email that triggers a PowerShell script to download a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses a custom XOR-SUB routine for decryption, which is similar to the encryption method used by the Lazarus Group's malware. The attackers also use process hollowing, injecting the decrypted payload into suspended Windows binaries such as OpenWith.exe or wksprt.exe before resuming execution.
To evade endpoint detection and reporting (EDR), Dohdoor locates ntdll.dll, checks NtProtectVirtualMemory for user-mode hooks, and patches the syscall stub to create a direct syscall trampoline. This technique allows the attackers to bypass EDR and maintain persistence on the compromised system.
The telemetry suggests that the actor likely used a Cobalt Strike Beacon as the follow-on payload, which is consistent with the tactics and techniques employed by North Korean APT actors. The campaign also shares traits with Lazarloader, including a custom XOR-SUB routine using the 0x26 constant and NTDLL unhooking for EDR evasion.
In conclusion, the UAT-10027 campaign highlights the evolving threat landscape in the cybersecurity world. With its stealthy methods and tactics, this attack demonstrates the importance of continuous monitoring and patch management for critical systems. As attackers continue to adapt and evolve their techniques, it is essential for organizations to stay vigilant and implement robust security measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/UAT-10027-A-Stealthy-Attack-on-US-Education-and-Healthcare-Sectors-ehn.shtml
Published: Thu Feb 26 13:49:23 2026 by llama3.2 3B Q4_K_M
