Cisco Talos researchers uncover ongoing campaign by suspected North Korean group UAT-10027 using previously unseen 'Dohdoor' backdoor to infect US education and healthcare organizations since December 2025.
Suspected North Korean digital intruders have been actively targeting US healthcare and education organizations with a previously unknown backdoor malware since at least December 2025, according to new research from Cisco Talos.
Healthcare and education under attack
The campaign, attributed to a group Cisco Talos tracks as UAT-10027, has specifically targeted educational institutions and healthcare facilities, including elderly care providers. "We observed that the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface," said Chetan Raghuprasad, a Cisco Talos researcher.
This victimology suggests financial motives rather than the typical espionage objectives associated with North Korean cyber operations. The healthcare facility infection is particularly concerning given the critical nature of medical infrastructure.
The new Dohdoor backdoor
At the heart of this campaign is a brand new piece of malware dubbed "Dohdoor" by Talos researchers. The backdoor shares technical characteristics with Lazarus Group's Lazarloader malware, suggesting possible connections to North Korean cyber operations.
Infection chain and techniques
The attack begins with social engineering and phishing emails that deliver a PowerShell downloader. This downloader executes a Windows batch script dropper from a remote staging server, which then orchestrates a DLL sideloading technique.
The malicious Windows DLL, named "propsys.dll" or "batmeter.dll" to appear legitimate, operates as a loader that downloads, decrypts, and executes malicious payloads within legitimate Windows processes. This provides attackers with backdoor access to compromised environments.
Once inside, the malware downloads a Cobalt Strike Beacon directly into the machine's memory, establishing persistent access for the attackers.
Advanced evasion tactics
UAT-10027 employs several sophisticated techniques to avoid detection:
DNS-over-HTTPS (DoH): The malware uses Cloudflare's DNS service to resolve command-and-control (C2) server IP addresses, bypassing DNS security tools by making all outbound traffic appear as legitimate HTTPS traffic.
Process hollowing: This technique injects malicious payloads into legitimate Windows binaries, allowing the malware to run undetected.
EDR bypass: The backdoor uses an endpoint detection and response bypass technique that unhooks system calls through user mode hooks in ntdll.dll, effectively neutralizing security tools that monitor Windows API calls.
"The NTDLL unhooking technique used to bypass EDR monitoring by identifying and restoring system call stubs aligns with features found in earlier Lazarloader variants," researchers Alex Karkins and Chetan Raghuprasad noted in their report.
North Korean connections
While Talos attributes the campaign to UAT-10027 "with low confidence" as a North Korean group, the technical overlaps with Lazarus Group are significant. The use of DoH via Cloudflare, process hollowing, and DLL sideloading with disguised filenames like "propsys.dll" have all appeared in previous Lazarus campaigns.
However, the focus on education and healthcare sectors represents a departure from Lazarus' typical targeting of cryptocurrency and defense organizations. This shift may reflect evolving North Korean cyber strategies or the activities of subgroups with different objectives.
Recent developments suggest Lazarus has indeed expanded its targeting. Symantec and Carbon Black researchers warned earlier this week that Lazarus has begun using Medusa ransomware in extortion attacks, including at least one targeting a US healthcare organization.
Other North Korean groups have also targeted these sectors: Andariel, a subgroup acting as the cyber-arm of North Korea's military intelligence agency, has previously used Maui and Play ransomware in healthcare sector intrusions. Kimsuky, another Pyongyang intelligence-gathering group, has conducted campaigns against educational institutions.
Implications and response
The discovery of this ongoing campaign highlights the persistent threat posed by North Korean cyber operations and their willingness to target critical infrastructure sectors. The use of a new backdoor with advanced evasion techniques demonstrates the continued evolution of these threat actors' capabilities.
Organizations in the education and healthcare sectors should review their security posture, particularly regarding phishing defenses, endpoint detection capabilities, and monitoring for the specific techniques employed by this campaign. The combination of social engineering, sophisticated malware, and advanced evasion tactics makes this a particularly dangerous threat that requires comprehensive defensive measures.
The campaign remains active, and the potential for lateral movement from initially compromised educational institutions to other connected organizations presents an ongoing risk that security teams must address proactively.
Comments
Please log in or register to join the discussion