UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

An ongoing malicious campaign targeting the U.S. healthcare and education sectors since at least December 2025 has been linked to a threat activity cluster that was previously unreported. Cisco Talos is monitoring the campaign under the code UAT-10027. Delivering a previously unseen backdoor codenamed Dohdoor is the ultimate objective of the attacks.

Although the campaign's original access vector is still unknown, it is believed to have involved the use of social engineering phishing techniques that resulted in the execution of a PowerShell script.

After that, the script downloads and executes a Windows batch script from a remote staging server. This script, for its part, makes it easier to download a malicious Windows dynamic-link library (DLL) called "propsys.dll" or "batmeter.dll." Using a method known as DLL side-loading, a legitimate Windows executable (such as "Fondue.exe," "mblctr.exe," and "ScreenClippingHost.exe") launches the DLL payload, or Dohdoor.

A next-stage payload is retrieved and executed straight into the victim's memory using the backdoored access that the implant created. It is determined that the payload is a Cobalt Strike Beacon.

"All outgoing communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address because the threat actor conceals the C2 servers behind the Cloudflare infrastructure," Talos stated. "This method ensures that the malware's C2 communications remain covert by conventional network security infrastructure by avoiding DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups." Additionally, it has been discovered that Dohdoor unhooks system calls in order to get around endpoint detection and response (EDR) programs that use user-mode hooks in NTDLL.dll to monitor Windows API calls.

"The attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface," Raghuprasad told ZeroOwl.

A healthcare facility that specialized in providing care for the elderly was also one of the impacted entities.To date, no evidence of data exfiltration has been found through analysis of the campaign. Based on the victimology pattern, it is thought that UAT-10027's actions are probably motivated by financial giants, even though no final payloads have been seen other than what appears to be the Cobalt Strike Beacon to backdoor into the victim's environment, the researcher continued. Although the identity of the perpetrator of UAT-10027 is still unknown, Cisco Talos reported that it discovered some tactical parallels between Dohdoor and LazarLoader, a downloader that was previously linked to attacks against South Korea by the North Korean hacker collective Lazarus.

"However, [...] North Korean APT actors have used Maui ransomware to target the healthcare sector, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs."