INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
UAT-10027 Targets U.S. Education and Healthcare with Stealthy Dohdoor Backdoor
| 2026-02-26 19:10 CRITICAL MEDIUMExecutive Summary AI-generated
The Talos team has identified a new threat cluster, tracked as UAT-10027, targeting US education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. This campaign deviates from the Lazarus Group's typical profile of cryptocurrency and defense-targeting, instead focusing on these sectors. The attackers used PowerShell to run curl with an encoded URL, downloading a malicious batch file likely delivered through phishing, which was then sideloaded using legitimate Windows executables. A 64-bit DLL loader, Dohdoor, was deployed in November 2025, allowing the attackers to download and decrypt payloads inside legitimate Windows processes. The malware resolves Windows APIs through hash-based lookups, parses command-line arguments from the sideloaded executable, and extracts C2 URLs and payload paths. To evade EDR, Dohdoor locates ntdll.dll and checks NtProtectVirtualMemory for potential vulnerabilities. This new threat cluster highlights the overlaps in victimology between UAT-10027 and other North Korean APTs, such as those targeting healthcare and education sectors using Maui ransomware or Kimsuky targeting education sectors.
Technical Mitigations AI-generated
* Implement a secure patching mechanism for Windows systems to detect and prevent the use of NTDLL unhooking, which is used by Dohdoor to evade EDR (Exploitation Detection and Response) detection.
* Use a secure communication protocol such as TLS 1.3 or higher to encrypt all data transmitted between clients and servers in the UAT-10027 campaign, making it more difficult for attackers to intercept and decrypt sensitive information.
* Regularly update and patch Windows systems to ensure that any known vulnerabilities are addressed before they can be exploited by attackers using Dohdoor.
* Implement a robust anti-malware solution with advanced threat detection capabilities to identify and block malicious payloads like Dohdoor, including those used in follow-on payload attacks such as the use of Cobalt Strike Beacons.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Lazarus GroupLazarus GroupKimsukyKimsuky
Cobalt StrikeCobalt Strike
Target & Sectors
Global Scope
healthcarehealthcare
defensedefense
healthhealth
educationeducation
Incident Timeline
November 2025
The threat actors used a Cobalt Strike Beacon as the follow-on payload to target U.S. education and healthcare sectors with stealthy Dohdoor backdoors.
Click on any entity below to view its context and source!
infrastructure
Windows
UAT-10027 deployed a 64-bit DLL loader, Dohdoor, compiled in November 2025, to download, decrypt, and run payloads inside legitimate Windows processes.
Dohdoor resolves Windows APIs through hash-based lookups, parses command-line arguments from the sideloaded executable, and extracts the C2 URL and payload path.
“
The loader then performs process hollowing, injecting the decrypted payload into suspended Windows binaries such as OpenWith.exe or wksprt.exe before resuming execution.
general_metric
64 bit
UAT-10027 deployed a 64-bit DLL loader, Dohdoor, compiled in November 2025, to download, decrypt, and run payloads inside legitimate Windows processes.
organisation
Lazarus
Group
Talos assesses with low confidence that UAT-10027 links to North Korea due to overlaps with the
Lazarus
Group.
organisation
APT
“However, Talos has historically seen that North Korean APT actors have targeted the
health care sector
using
Maui ransomware
, and another North Korean APT group,
Kimsuky
, has targeted the
education sector
, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.
threat_actor
Kimsuky
“However, Talos has historically seen that North Korean APT actors have targeted the
health care sector
using
Maui ransomware
, and another North Korean APT group,
Kimsuky
, has targeted the
education sector
, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.
threat_actor
Lazarus Group
While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting.” concludes the report.
organisation
byte
If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.”
Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.
data_breach
6 byte
If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.”
Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.
organisation
EDR
To evade EDR, Dohdoor locates ntdll.dll, checks NtProtectVirtualMemory for user-mode hooks, and patches the syscall stub to create a direct syscall trampoline.
organisation
HTTPS GET
After resolving the server, Dohdoor sends HTTPS GET requests that mimic curl traffic and retrieves an encrypted payload.
organisation
XOR-SUB
It decrypts the payload with a custom XOR-SUB algorithm using SIMD routines for 16-byte blocks and a position-dependent formula for remaining bytes.
data_breach
16 byte
It decrypts the payload with a custom XOR-SUB algorithm using SIMD routines for 16-byte blocks and a position-dependent formula for remaining bytes.
organisation
Single Instruction,
A vectorized (Single Instruction, Multiple Data) SIMD method for bulk processing and a simpler loop to handle the remaining encrypted data.
organisation
Multiple Data
A vectorized (Single Instruction, Multiple Data) SIMD method for bulk processing and a simpler loop to handle the remaining encrypted data.
data_breach
32 first bytes
“Then it reads the first 32 bytes of the function using ReadProcessMemory that dynamically loads during the execution and compares them with the syscall stub pattern in hexadecimal “4C 8B D1 B8 FF 00 00 00” which corresponds to the assembly instructions “mov r10, rcx; mov eax, 0FFh”.
organisation
NTDLL
Dohdoor shares traits with Lazarloader, including a custom XOR-SUB routine using the 0x26 constant and NTDLL unhooking for EDR evasion.
organisation
SecurityAffairs
“
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, UAT-10027)
at least December 2025
Threat actors used a previously undisclosed backdoor called Dohdoor to deploy the T1588.001 malware on U.S. education and healthcare organizations since at least December 2025.
Click on any entity below to view its context and source!
industry
Education
Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor.
Ravie Lakshmanan
Feb 26, 2026
Malware / Threat Intelligence
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.
industry
Healthcare
Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor.
Ravie Lakshmanan
Feb 26, 2026
Malware / Threat Intelligence
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.
tactic
T1588.001 - Malware
Ravie Lakshmanan
Feb 26, 2026
Malware / Threat Intelligence
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.
general_metric
26 Feb
Ravie Lakshmanan
Feb 26, 2026
Malware / Threat Intelligence
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.
December 2025
Threat actors used PowerShell to run curl with an encoded URL, downloading a malicious batch file named Dohdoor via sideloading from compromised Cloudflare infrastructure.
Click on any entity below to view its context and source!
organisation
DLL
Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading.
infrastructure
Windows
The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it.
organisation
ProgramData
The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it.
organisation
Public
The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it.
organisation
DNS
The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections.
organisation
Cloudflare
The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections.
organisation
HTTPS
The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections.
February 26, 2026
Threat actors used a stealthy Dohdoor backdoor to deploy a new threat on the U.S. education and healthcare sectors during the General Document Context of Incident UAT-10027 campaign.
Click on any entity below to view its context and source!
industry
Education
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
Pierluigi Paganini
February 26, 2026
UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor.
industry
Healthcare
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
Pierluigi Paganini
February 26, 2026
UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor.
Feb 26, 2026
Threat actors used Dohdoor to deploy a stealthy backdoor in the U.S. education and healthcare sectors via compromised General Dynamics Information Technology systems.
2026-02-26
Threat actors used Dohdoor to target U.S. education and healthcare with stealthy backdoors through DNS-over-HTTPS (DoH) communications, leveraging a Cobalt Strike Beacon payload.
Click on any entity below to view its context and source!
organisation
APT
North Korean APT actors have targeted the healthcare sector using
Maui ransomware
, and another North Korean APT group,
Kimsuky
, has targeted the
education sector
, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs."
threat_actor
Kimsuky
North Korean APT actors have targeted the healthcare sector using
Maui ransomware
, and another North Korean APT group,
Kimsuky
, has targeted the
education sector
, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs."
organisation
Dohdoor
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor.
The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.
organisation
Healthcare
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor.
organisation
UAT-10027 Targets U.S. Education
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor.
organisation
Dohdoor Backdoor
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor.
threat_actor
Lazarus Group
"While UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting," Talos concluded.
organisation
DLL
The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."
The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as
DLL side-loading
.
infrastructure
Windows
The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."
The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as
DLL side-loading
.
"
Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through
user-mode hooks in NTDLL.dll
.
organisation
Fondue.exe
The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."
The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as
DLL side-loading
.
organisation
UAT-10027
Although no final payloads have been observed other than what appears to be the Cobalt Strike Beacon to backdoor into the victim's environment, it's believed that UAT-10027's actions are likely driven by financial giants based on the victimology pattern, the researcher added.
organisation
EDR
"
Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through
user-mode hooks in NTDLL.dll
.
organisation
DNS
"Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively," security researchers Alex Karkins and Chetan Raghuprasad
said
in a technical report shared with The Hacker News.
organisation
Chetan Raghuprasad
"Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively," security researchers Alex Karkins and Chetan Raghuprasad
said
in a technical report shared with The Hacker News.
organisation
The Hacker News
"Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively," security researchers Alex Karkins and Chetan Raghuprasad
said
in a technical report shared with The Hacker News.
organisation
Cloudflare
"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address," Talos said.
organisation
IP
"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address," Talos said.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it.
UAT-10027 deployed a 64-bit DLL loader, Dohdoor, compiled in November 2025, to download, decrypt, and run payloads inside legitimate Windows processes.
Dohdoor resolves Windows APIs through hash-based lookups, parses command-line arguments from the sideloaded executable, and extracts the C2 URL and payload path.
“
The loader then performs process hollowing, injecting the decrypted payload into suspended Windows binaries such as OpenWith.exe or wksprt.exe before resuming execution.
The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that's named "propsys.dll" or "batmeter.dll."
The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") using a technique referred to as
DLL side-loading
.
"
Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through
user-mode hooks in NTDLL.dll
.
Metrics
data_breach
6
Byte
If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.”
Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.
Metrics
data_breach
16
Byte
It decrypts the payload with a custom XOR-SUB algorithm using SIMD routines for 16-byte blocks and a position-dependent formula for remaining bytes.
Metrics
data_breach
32
First Bytes
“Then it reads the first 32 bytes of the function using ReadProcessMemory that dynamically loads during the execution and compares them with the syscall stub pattern in hexadecimal “4C 8B D1 B8 FF 00 00 00” which corresponds to the assembly instructions “mov r10, rcx; mov eax, 0FFh”.
Intelligence Sources
Security Affairs
2026-02-26
The Hacker News
2026-02-26
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:29
Comprehensive Tactical Telemetry
Highly Correlated Entities
25x
organisation
Identified Entity
Lazarus
Group
entity
6x
timeline
Temporal Reference
February 26, 2026
date
4x
industry
Targeted Sector
Education
sector
4x
tactic
Cyber Operation Type
Ransomware
tactic
2x
source region
Origin Country
Korea, Democratic People's Republic of
country
2x
threat actor
APT Group
Lazarus Group
actor
2x
tactic
MITRE ATT&CK Technique
T1059.001 - PowerShell
technique
2x
data breach
Byte
6
byte
Contextual Telemetry
Context Block
8 METRICS
source region
Origin Region
DPRK
region
malware
Offensive Tool
Cobalt Strike
tool
infrastructure
Affected Product
Windows
software
general metric
Bit
64
bit
general metric
B8 Bb
0
b8 bb
data breach
First Bytes
32
first bytes
general metric
Port
443
port
general metric
Feb
26
feb
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.