A new threat activity cluster has been linked to a malicious campaign targeting the education and healthcare sectors in the United States since December 2025.
Known as UAT-10027, the campaign aims to deploy a previously unseen backdoor named Dohdoor.
“Dohdoor uses the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and can download and execute additional payload binaries reflectively,” explained security researchers Alex Karkins and Chetan Raghuprasad in a report shared with The Hacker News.
While the initial access method used in the campaign is currently undisclosed, it is believed to involve social engineering phishing tactics that lead to the execution of a PowerShell script.
The script then proceeds to download and execute a Windows batch script from a remote staging server, which in turn facilitates the download of a malicious Windows dynamic-link library (DLL) named “propsys.dll” or “batmeter.dll.”
The DLL payload (Dohdoor) is executed using legitimate Windows executables through DLL side-loading, launching a Cobalt Strike Beacon into the victim’s memory.
“The threat actor conceals the C2 servers behind Cloudflare infrastructure to make all outbound communication appear as legitimate HTTPS traffic to a trusted global IP address,” noted Talos.
This technique helps the malware evade DNS-based detection systems and network traffic analysis tools by maintaining stealthy C2 communications.
Dohdoor has also been observed to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll.
According to Raghuprasad, educational institutions, including a university connected to several others, have been infected, indicating a potentially broader attack surface. One affected entity was a healthcare facility catering to elderly care.
Analysis of the campaign has not shown any evidence of data exfiltration. While only the Cobalt Strike Beacon has been observed as the final payload, it is believed that the motives behind UAT-10027 are financially driven based on victimology patterns.
Although the perpetrators behind UAT-10027 remain unknown, similarities between Dohdoor and LazarLoader, a downloader previously associated with the North Korean Lazarus group, have been identified.
“Despite technical similarities with Lazarus Group, UAT-10027’s focus on education and healthcare sectors deviates from Lazarus’ usual cryptocurrency and defense targeting,” concluded Talos.
“However, North Korean APT actors have targeted the healthcare sector with Maui ransomware, and another group, Kimsuky, has focused on the education sector, highlighting overlaps in victimology with UAT-10027 and other North Korean APTs.”
