Overview
- Cisco Talos is tracking the active UAT-10027 campaign targeting U.S. education and healthcare since at least December 2025.
- The newly identified Dohdoor backdoor uses DNS-over-HTTPS for command-and-control, blending with legitimate HTTPS traffic.
- Operators mask C2 behind Cloudflare infrastructure, defeating DNS sinkholes and traditional network monitoring.
- Talos assesses a likely chain that starts with phishing, executes PowerShell, pulls a batch script, and sideloads a malicious DLL such as propsys.dll or batmeter.dll via legitimate Windows executables.
- Dohdoor unhooks NTDLL to bypass EDR, decrypts and runs payloads in memory, and likely delivers a Cobalt Strike Beacon, with attribution still unconfirmed despite overlaps with Lazarus tradecraft and North Korean APT victimology.