A beforehand undocumented risk exercise cluster has been attributed to an ongoing malicious marketing campaign focusing on training and healthcare sectors within the U.S. since at the least December 2025.
The marketing campaign is being tracked by Cisco Talos underneath the moniker UAT-10027. The top aim of the assaults is to ship a never-before-seen backdoor codenamed Dohdoor.
“Dohdoor makes use of the DNS-over-HTTPS (DoH) approach for command-and-control (C2) communications and has the flexibility to obtain and execute different payload binaries reflectively,” safety researchers Alex Karkins and Chetan Raghuprasad mentioned in a technical report shared with The Hacker Information.
Though the preliminary entry vector used within the marketing campaign is at present not identified, it is suspected to contain using social engineering phishing methods, resulting in the execution of a PowerShell script.
The script then proceeds to obtain and run a Home windows batch script from a distant staging server, which, for its half, facilitates the obtain of a malicious Home windows dynamic-link library (DLL) that is named “propsys.dll” or “batmeter.dll.”
The DLL payload – i.e., Dohdoor – is launched by way of a reputable Home windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) utilizing a method known as DLL side-loading. The backdoored entry created by the implant is used to retrieve a next-stage payload instantly into the sufferer’s reminiscence and execute it. The payload is assessed to be a Cobalt Strike Beacon.
“The risk actor hides the C2 servers behind the Cloudflare infrastructure, guaranteeing that each one outbound communication from the sufferer machine seems as reputable HTTPS visitors to a trusted world IP tackle,” Talos mentioned.
“This system bypasses DNS-based detection programs, DNS sinkholes, and community visitors evaluation instruments that monitor suspicious area lookups, guaranteeing that the malware’s C2 communications stay stealth by conventional community safety infrastructure.”
Dohdoor has additionally been discovered to unhook system calls to bypass endpoint detection and response (EDR) options that monitor Home windows API calls by user-mode hooks in NTDLL.dll.
There’s at present no readability on who’s behind UAT-10027, however Cisco Talos mentioned it discovered some tactical similarities between Dohdoor and Lazarloader, a downloader beforehand recognized as utilized by the North Korean hacking group Lazarus in assaults geared toward South Korea.
“Whereas UAT-10027’s malware shares technical overlaps with the Lazarus Group, the marketing campaign’s concentrate on the training and well being care sectors deviates from Lazarus’ typical profile of cryptocurrency and protection focusing on,” Talos concluded.
“Nevertheless, […] North Korean APT actors have focused the healthcare sector utilizing Maui ransomware, and one other North Korean APT group, Kimsuky, has focused the training sector, highlighting the overlaps within the victimology of UAT-10027 with that of different North Korean APTs.”
