Cybersecurity researchers have uncovered a previously undocumented intrusion campaign targeting organizations in the United States healthcare and education sectors. The activity cluster, tracked as UAT-10027, is delivering a newly identified backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) communications to conceal command-and-control traffic.
The campaign was identified by Cisco Talos researchers, who observed attackers deploying a multi-stage infection chain designed to maintain stealth inside victim networks. By combining phishing-based access, PowerShell execution, DLL side-loading, and encrypted DNS command channels, the attackers are able to bypass several traditional network detection controls.
The discovery highlights a growing trend among threat actors abusing legitimate cloud infrastructure and encrypted DNS command channels to evade enterprise monitoring systems while maintaining persistent access to targeted environments.
Attack Chain and Initial Access
According to Cisco Talos, the precise initial intrusion vector has not yet been confirmed, but investigators believe the campaign likely begins with targeted phishing or social engineering techniques. Victims are believed to be tricked into executing a malicious PowerShell script, which acts as the first-stage downloader within the infection chain.
Once executed, the script retrieves a secondary Windows batch file from an attacker-controlled staging server. This batch script is responsible for downloading a malicious dynamic-link library (DLL) payload disguised as legitimate system components such as propsys.dll or batmeter.dll. The attackers then leverage a technique known as DLL side-loading, abusing trusted Windows executables like Fondue.exe, mblctr.exe, or ScreenClippingHost.exe to load the malicious library.
This approach allows the malware to execute under the context of legitimate Windows processes, making detection significantly more difficult for traditional endpoint protection tools.
Dohdoor Backdoor Uses DNS-over-HTTPS to Evade Detection
The final payload delivered during the campaign is a previously unseen malware implant dubbed Dohdoor. The backdoor communicates with its command-and-control infrastructure using DNS-over-HTTPS (DoH), routing command traffic through encrypted DNS channels embedded within standard HTTPS traffic.
This technique allows malicious activity to blend into normal encrypted web traffic, helping it evade many DNS monitoring tools, sinkholes, and network inspection systems that rely on detecting suspicious domain lookups.
Once deployed, the malware establishes persistent access to the infected system and is capable of downloading and executing additional payloads directly into memory. Cisco Talos researchers observed the malware retrieving what appears to be a Cobalt Strike Beacon, a widely used post-exploitation framework frequently leveraged by both advanced threat actors and cybercriminal groups.
The attackers also conceal their command infrastructure behind Cloudflare services, ensuring outbound traffic appears to communicate with legitimate global cloud infrastructure rather than suspicious attacker-controlled servers.
EDR Evasion, Victimology, and Possible Attribution Signals
Further analysis of the malware indicates that Dohdoor incorporates techniques designed to evade modern endpoint detection and response (EDR) systems. The malware is capable of unhooking system calls in order to bypass security products that rely on monitoring Windows API calls through user-mode hooks in NTDLL.dll. By restoring original system call behavior, the implant can execute sensitive operations without triggering certain behavioral monitoring controls.
Researchers observed that the campaign has primarily targeted organizations within the U.S. education and healthcare sectors. At least one compromised university environment was found to have connections to multiple other academic institutions, potentially expanding the reach of the intrusion if attackers were able to move laterally across trusted networks.
In addition, one of the confirmed victims was a healthcare facility specializing in elderly care, highlighting the continued exposure of critical healthcare infrastructure to targeted cyber intrusions.
While investigators have not yet observed direct data exfiltration, the deployment of Cobalt Strike strongly suggests the attackers were establishing long-term access for follow-on operations such as credential harvesting, lateral movement, or ransomware deployment.
Talos researchers also noted technical overlaps between Dohdoor and LazarLoader, a malware downloader historically associated with the North Korean Lazarus Group. However, analysts caution that the targeting profile seen in the UAT-10027 campaign differs from typical Lazarus operations, which more commonly focus on cryptocurrency theft, financial institutions, or defense-related targets.
Why the UAT-10027 Campaign Matters
The UAT-10027 campaign illustrates how modern threat actors are combining multiple evasion techniques — including DLL side-loading, encrypted DNS command channels, and trusted cloud infrastructure — to maintain stealth inside enterprise environments.
For defenders, the campaign reinforces the importance of monitoring behavioral indicators rather than relying solely on domain reputation or DNS-based detection. Organizations should focus on identifying suspicious process chains, abnormal PowerShell activity, and unexpected child processes spawned by legitimate Windows binaries.
Security teams in healthcare and education environments should also pay particular attention to segmentation and privileged access controls. These sectors frequently operate complex interconnected networks where a single compromised institution may provide attackers with opportunities to pivot into partner organizations, research networks, or shared services infrastructure.
While attribution for UAT-10027 remains uncertain, the technical sophistication of the malware and the stealth techniques employed suggest that the campaign may represent a growing class of financially motivated intrusion operations that borrow techniques commonly seen in advanced persistent threat activity.
As encrypted protocols and cloud-based infrastructure become increasingly central to enterprise networks, security teams must adapt detection strategies to identify adversaries hiding malicious activity within legitimate services.
The campaign was first detailed by Cisco Talos researchers, who analyzed the malware’s command infrastructure and infection chain. Their full technical report can be found here.
Indicators of Compromise and Detection Opportunities
Cisco Talos researchers identified several behavioral and infrastructure indicators associated with the UAT-10027 campaign. Security teams monitoring enterprise environments should watch for the following artifacts and activity patterns.
Malicious Files and Loader Activity
- DLL sideloading using files named
propsys.dllorbatmeter.dll - Execution through legitimate Windows binaries including
Fondue.exe,mblctr.exe, andScreenClippingHost.exe - PowerShell scripts invoking
curl.exeto download staged batch files
Process Hollowing Targets
- C:\Windows\System32\OpenWith.exe
- C:\Windows\System32\wksprt.exe
- C:\Program Files\Windows Photo Viewer\ImagingDevices.exe
- C:\Program Files\Windows Mail\wab.exe
Network Indicators
- DNS-over-HTTPS queries sent to Cloudflare DNS infrastructure
- Suspicious subdomains such as
MswInSofTUpDloAdandDEEPinSPeCTioNsyStEM - JA3S TLS fingerprint
466556e923186364e82cbdb4cad8df2c
Detection Signatures
- ClamAV signatures: Win.Loader.Dohdoor-10059347-0, Win.Loader.Dohdoor-10059535-0, Ps1.Loader.Dohdoor-10059533-0, Ps1.Loader.Dohdoor-10059534-0
- SNORT rules: 65950, 65951, 65949 (Snort2) and 301407, 65949 (Snort3)
Talos published the full set of indicators and infrastructure details in their public repository, allowing defenders to cross-check environments for signs of compromise.
