A beforehand undocumented risk exercise cluster has been attributed to an ongoing malicious marketing campaign focusing on training and healthcare sectors within the U.S. since not less than December 2025.
The marketing campaign is being tracked by Cisco Talos below the moniker UAT-10027. The top aim of the assaults is to ship a never-before-seen backdoor codenamed Dohdoor.
“Dohdoor makes use of the DNS-over-HTTPS (DoH) approach for command-and-control (C2) communications and has the power to obtain and execute different payload binaries reflectively,” safety researchers Alex Karkins and Chetan Raghuprasad stated in a technical report shared with The Hacker Information.
Though the preliminary entry vector used within the marketing campaign is at present not recognized, it is suspected to contain the usage of social engineering phishing strategies, resulting in the execution of a PowerShell script.
The script then proceeds to obtain and run a Home windows batch script from a distant staging server, which, for its half, facilitates the obtain of a malicious Home windows dynamic-link library (DLL) that is named “propsys.dll” or “batmeter.dll.”
The DLL payload – i.e., Dohdoor – is launched via a reliable Home windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) utilizing a way known as DLL side-loading. The backdoored entry created by the implant is used to retrieve a next-stage payload straight into the sufferer’s reminiscence and execute it. The payload is assessed to be a Cobalt Strike Beacon.
“The risk actor hides the C2 servers behind the Cloudflare infrastructure, making certain that every one outbound communication from the sufferer machine seems as reliable HTTPS site visitors to a trusted international IP deal with,” Talos stated.
“This system bypasses DNS-based detection techniques, DNS sinkholes, and community site visitors evaluation instruments that monitor suspicious area lookups, making certain that the malware’s C2 communications stay stealth by conventional community safety infrastructure.”
Dohdoor has additionally been discovered to unhook system calls to bypass endpoint detection and response (EDR) options that monitor Home windows API calls by means of user-mode hooks in NTDLL.dll.
There’s at present no readability on who’s behind UAT-10027, however Cisco Talos stated it discovered some tactical similarities between Dohdoor and Lazarloader, a downloader beforehand recognized as utilized by the North Korean hacking group Lazarus in assaults geared toward South Korea.
“Whereas UAT-10027’s malware shares technical overlaps with the Lazarus Group, the marketing campaign’s deal with the training and well being care sectors deviates from Lazarus’ typical profile of cryptocurrency and protection focusing on,” Talos concluded.
“Nevertheless, […] North Korean APT actors have focused the healthcare sector utilizing Maui ransomware, and one other North Korean APT group, Kimsuky, has focused the training sector, highlighting the overlaps within the victimology of UAT-10027 with that of different North Korean APTs.”
