Cisco Talos has identified a new malicious campaign by threat actor UAT-10027 targeting the education and healthcare sectors in the United States. The attack utilizes a multi-stage chain involving PowerShell downloaders and batch scripts to sideload a previously undocumented backdoor called "Dohdoor." This malware leverages DNS-over-HTTPS (DoH) through Cloudflare to obfuscate command-and-control communications and evade traditional network detection systems.
Dohdoor is technically sophisticated, employing reflective payload execution and process hollowing to inject malware into legitimate Windows processes. It features advanced evasion techniques, including custom XOR-SUB decryption using SIMD instructions and NTDLL unhooking to bypass EDR monitoring. While the final payload was not directly captured, telemetry and infrastructure analysis suggests the potential use of Cobalt Strike beacons for persistent access.
Analysis of the campaign's tactics, techniques, and procedures reveals low-confidence technical similarities with known North Korean APT groups, specifically Lazarus. Overlaps include specific decryption constants and syscall restoration methods. While the focus on healthcare and education sectors deviates from typical Lazarus cryptocurrency targets, it aligns with broader North Korean strategic interest patterns.
Top comments (0)