CISCO Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organisations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL via sideloading, with the malware using DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections.
The loading mechanism involves a 64-bit Dohdoor DLL loader, compiled in November 2025, which downloads, decrypts, and runs payloads inside legitimate Windows processes, using a custom XOR-SUB decryption routine and a two-stage approach including process hollowing and DLL sideloading to inject into OpenWith[.]exe or wksprt[.]exe. To evade EDR, Dohdoor locates ntdll[.]dll and patches the syscall stub to create a direct syscall trampoline, and it communicates with a C2 using DoH via Cloudflare over port 443.
The campaign is associated with using a Cobalt Strike Beacon as a follow-on payload, and while Talos’s assessment notes overlaps with Lazarus, the operators’ focus on the education and healthcare sectors distinguishes UAT-10027 from Lazarus’s typical targets, with the researchers explicitly stating that attribution remains uncertain.