UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
February 26, 2026 
UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor.
Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor.
Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections. This allows attackers to deploy additional payloads, such as Cobalt Strike, directly into memory while evading security detection and maintaining persistent access.
Attackers used PowerShell to run curl with an encoded URL, downloading a malicious .bat or .cmd file—likely delivered through phishing. The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it. Finally, it performed anti-forensic actions, clearing Run history, wiping the clipboard, and deleting itself to reduce traces of compromise.
UAT-10027 deployed a 64-bit DLL loader, Dohdoor, compiled in November 2025, to download, decrypt, and run payloads inside legitimate Windows processes. Dohdoor resolves Windows APIs through hash-based lookups, parses command-line arguments from the sideloaded executable, and extracts the C2 URL and payload path. It uses DNS-over-HTTPS to query Cloudflare over port 443, builds crafted HTTP requests, and parses JSON responses by searching for “Answer” and “data” fields to obtain the C2 IP address.
After resolving the server, Dohdoor sends HTTPS GET requests that mimic curl traffic and retrieves an encrypted payload. It decrypts the payload with a custom XOR-SUB algorithm using SIMD routines for 16-byte blocks and a position-dependent formula for remaining bytes.
“Dohdoor receives an encrypted payload from the C2 server. The encrypted payload undergoes custom XOR-SUB decryption using a position-dependent cipher. The encrypted data maintains a 4:1 expansion ratio where the encrypted data is four times larger than the decrypted data.” reads Talos’s report.”The decryption routine of Dohdoor operates in two ways. A vectorized (Single Instruction, Multiple Data) SIMD method for bulk processing and a simpler loop to handle the remaining encrypted data. “
The loader then performs process hollowing, injecting the decrypted payload into suspended Windows binaries such as OpenWith.exe or wksprt.exe before resuming execution.
To evade EDR, Dohdoor locates ntdll.dll, checks NtProtectVirtualMemory for user-mode hooks, and patches the syscall stub to create a direct syscall trampoline.
“Dohdoor achieves this by locating ntdll.dll with the hash “0x28cc” and finds NtProtectVirtualMemory with the hash “0xbc46c894”.” continues the report. “Then it reads the first 32 bytes of the function using ReadProcessMemory that dynamically loads during the execution and compares them with the syscall stub pattern in hexadecimal “4C 8B D1 B8 FF 00 00 00” which corresponds to the assembly instructions “mov r10, rcx; mov eax, 0FFh”. If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.”
Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.
Talos assesses with low confidence that UAT-10027 links to North Korea due to overlaps with the Lazarus Group. Dohdoor shares traits with Lazarloader, including a custom XOR-SUB routine using the 0x26 constant and NTDLL unhooking for EDR evasion. The campaign also uses DoH via Cloudflare, DLL sideloading, process hollowing, and mixed-case TLDs—tradecraft seen in Lazarus operations.
“In addition to the observed technical characteristics similarities of the tools, the use of multiple top-level domains (TLDs) including “.design”, “. software”, and “. online”, with varying case patterns, also aligns with the operational preferences of Lazarus. While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting.” concludes the report. “However, Talos has historically seen that North Korean APT actors have targeted the health care sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, UAT-10027)
