{"id":66,"date":"2026-02-26T16:12:00","date_gmt":"2026-02-26T16:12:00","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=66"},"modified":"2026-02-26T16:12:00","modified_gmt":"2026-02-26T16:12:00","slug":"uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=66","title":{"rendered":"UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Feb 26, 2026<\/span><\/span>Malware \/ Threat Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.<\/p>\n

The campaign is being tracked by Cisco Talos under the moniker UAT-10027<\/strong>. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.<\/p>\n

\u00abDohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,\u00bb security researchers Alex Karkins and Chetan Raghuprasad said<\/a> in a technical report shared with The Hacker News.<\/p>\n

Although the initial access vector used in the campaign is currently not known, it’s suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that’s named \u00abpropsys.dll\u00bb or \u00abbatmeter.dll.\u00bb<\/p>\n

The DLL payload \u2013 i.e., Dohdoor \u2013 is launched by means of a legitimate Windows executable (e.g., \u00abFondue.exe,\u00bb \u00abmblctr.exe,\u00bb and \u00abScreenClippingHost.exe\u00bb) using a technique referred to as DLL side-loading<\/a>. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim’s memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.<\/p>\n

\u00abThe threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,\u00bb Talos said.\u00a0<\/p>\n

\"\"<\/a><\/div>\n

\u00abThis technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by traditional network security infrastructure.\u00bb<\/p>\n

Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll<\/a>.<\/p>\n

There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and Lazarloader, a downloader<\/a> previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abWhile UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign\u2019s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting,\u00bb Talos concluded.<\/p>\n

\u00abHowever, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector<\/a>, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Feb 26, 2026Malware \/ Threat Intelligence A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since…<\/p>\n","protected":false},"author":1,"featured_media":67,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[179,178,177,97,78,96,176],"class_list":["post-66","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-backdoor","tag-dohdoor","tag-education","tag-healthcare","tag-targets","tag-u-s","tag-uat10027"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=66"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/66\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/67"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}