The reach of this campaign is particularly alarming due to the "spiderweb" nature of academic networks. Researchers have identified infections in a central university connected to several other institutions, creating a massive potential attack surface from a single point of entry. By deploying a sophisticated new backdoor dubbed "Dohdoor," these attackers have turned the tools of modern connectivity into a silent gateway for long-term intrusion.

2. Hiding in the "DNS-over-HTTPS" Crowd

The core innovation behind the Dohdoor backdoor is its use of DNS-over-HTTPS (DoH) for command-and-control (C2) communications. DoH is a protocol designed to increase privacy by encrypting DNS queries within standard HTTPS traffic, essentially masking the destination of a request. By adopting this method, Dohdoor ensures its malicious instructions are indistinguishable from legitimate web browsing.

This approach exploits the ubiquity and inherent trust of major service providers like Cloudflare. Instead of communicating with a suspicious, unknown domain, the malware masks its traffic behind the internet's own protective infrastructure. This effectively blinds traditional network security tools, which see only a secure connection to a globally trusted IP address.

"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address."

3. Weaponizing the "Good Guys" (DLL Side-Loading)

The attack begins with a suspected social engineering or phishing lure that triggers a multi-stage execution chain. A PowerShell script first pulls a Windows batch script from a staging server, which then downloads the final malicious payload. The attack then turns the operating system's own hospitality against it, using a technique known as DLL side-loading.

The malware hijacks legitimate, trusted Windows executables — such as Fondue.exe (Features on Demand), mblctr.exe (Mobility Center), or ScreenClippingHost.exe—to do its dirty work. These programs are tricked into loading a malicious library file that has assumed a "trusted" name like propsys.dll or batmeter.dll. Once the legitimate program runs, it inadvertently executes the Dohdoor backdoor, which then reflectively loads a Cobalt Strike Beacon directly into the system's memory.

4. The Stealthy "Unhooking" of Security Guardrails

Dohdoor is engineered to survive in environments protected by modern Endpoint Detection and Response (EDR) solutions. It achieves this by "unhooking" system calls in NTDLL.dll, the lowest-level layer of the Windows API where user-mode requests transition into the kernel. This is the critical layer where security software typically sits to watch for suspicious behavior.

By removing these hooks, Dohdoor creates an "EDR Green Mirage." The security dashboard continues to show a healthy, protected system even as the attacker moves laterally through the network. For organizations relying solely on automated alerts, the malware becomes a ghost in the machine, operating in the gap between what the security software sees and what the OS is actually doing.

5. A Shift in the "Who" and "Why"

The victimology of UAT-10027 suggests a sophisticated evolution of North Korean state-sponsored activity. While the code shares tactical overlaps with "LazarLoader" — a tool used by the Lazarus Group — the choice of victims is unconventional. Lazarus typically hunts for cryptocurrency and military secrets, but UAT-10027 is targeting elderly care facilities and universities.

This shift does not necessarily mean a new actor has emerged, but rather suggests a broader, more aggressive North Korean strategy. It aligns with historical patterns seen in other groups like Kimsuky, which targets education, and the Maui ransomware operators who have famously hit healthcare. This suggests that even non-defense sectors are now primary targets for high-tier APTs traditionally focused on financial or military gain.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html