New Threat Actor UAT-10027 Deploys Dohdoor Backdoor Against US Education and Healthcare Using DNS-over-HTTPS for Stealth C2

Cisco Talos has disclosed a previously undocumented threat activity cluster tracked as UAT-10027 that has been targeting US education and healthcare organizations since at least December 2025 with a novel backdoor called Dohdoor.

The backdoor uses DNS-over-HTTPS (DoH) for command-and-control communications and hides behind Cloudflare infrastructure, making all outbound C2 traffic appear as legitimate HTTPS connections to trusted global IP addresses — effectively invisible to traditional network monitoring.

While no data exfiltration has been confirmed yet, Talos assesses the campaign is likely financially motivated based on victimology patterns, with confirmed infections at multiple educational institutions including a university connected to several other organizations, and at least one elderly care healthcare facility.

Infection Chain

The initial access vector remains unconfirmed but is suspected to involve social engineering phishing. The attack chain proceeds through multiple stages:

1. PowerShell execution — initial script downloads and runs a Windows batch file from a remote staging server
2. DLL payload delivery — the batch script fetches a malicious DLL named either propsys.dll or batmeter.dll
3. DLL sideloading — the payload is launched through legitimate Windows executables (Fondue.exe, mblctr.exe, or ScreenClippingHost.exe) to bypass security controls
4. In-memory payload execution — Dohdoor retrieves a next-stage payload directly into victim memory and executes it reflectively
5. Cobalt Strike deployment — the final observed payload is assessed to be a Cobalt Strike Beacon for persistent backdoor access

Why DoH Makes Detection Difficult

Traditional network security relies heavily on DNS monitoring to identify malicious domains and C2 communication. Dohdoor sidesteps this entirely by using DNS-over-HTTPS, which encrypts DNS queries within standard HTTPS traffic.

Combined with Cloudflare's infrastructure sitting in front of the C2 servers, all outbound communication from infected machines appears as normal HTTPS traffic to a trusted CDN. This bypasses DNS-based detection, DNS sinkholes, and network traffic analysis tools that flag suspicious domain lookups.

EDR Evasion via NTDLL Unhooking

Dohdoor goes beyond network-level evasion. The backdoor implements system call unhooking — removing the user-mode hooks that EDR solutions place in NTDLL.dll to monitor Windows API calls. By restoring the original system call stubs, the malware operates beneath the visibility of endpoint security products that rely on API-level monitoring.

Possible North Korean Links

Talos identified tactical similarities between Dohdoor and LazarLoader, a downloader previously used by the North Korean Lazarus Group against South Korean targets. However, the victimology diverges from Lazarus's typical focus on cryptocurrency and defense sectors.

That said, Talos noted that North Korean APT groups have previously targeted both sectors — Lazarus used Maui ransomware against healthcare, and Kimsuky has targeted education — creating overlapping victimology patterns that leave attribution uncertain.

Defender Recommendations

• Monitor for DoH traffic — flag encrypted DNS connections to known DoH providers (Cloudflare, Google) from endpoints that shouldn't be using them
• Detect DLL sideloading — alert on Fondue.exe, mblctr.exe, or ScreenClippingHost.exe loading unsigned DLLs, particularly propsys.dll or batmeter.dll
• Hunt for NTDLL unhooking — monitor for processes that read and remap clean copies of NTDLL.dll to evade EDR hooks
• Inspect Cobalt Strike indicators — look for named pipe patterns, malleable C2 profiles, and in-memory beacon artifacts
• Audit university and healthcare networks — organizations in these sectors should proactively hunt for the described infection chain, particularly given the interconnected nature of university networks that could expand the attack surface
• Block staging infrastructure — monitor for PowerShell downloading batch scripts from external servers followed by DLL drops