Suspected Nork digital intruders caught breaking into US healthcare, education orgs
Summary
Security researchers at Cisco Talos have uncovered an active campaign, tracked as UAT-10027, delivering a new backdoor called Dohdoor to US education institutions and at least one elderly-care healthcare facility. The multi-stage intrusion begins with phishing and a PowerShell downloader, uses a batch-script dropper to sideload a malicious DLL (“propsys.dll” or “batmeter.dll”), and ultimately runs in-memory payloads such as a Cobalt Strike Beacon. Talos judges the activity to have low-confidence ties to North Korea-linked groups due to technical overlaps with Lazarus/Lazarloader techniques.
Key Points
- Campaign (UAT-10027) active since at least December, hitting US education and healthcare targets.
- New loader/backdoor “Dohdoor” is delivered via PowerShell downloader → batch dropper → DLL sideloading.
- Attackers use Cloudflare-hosted C2 and DNS-over-HTTPS to hide command-and-control traffic as legitimate HTTPS.
- Dohdoor uses process hollowing and in-memory execution to run Cobalt Strike without writing payloads to disk.
- The backdoor employs ntdll.dll unhooking to bypass EDR monitoring — a technique seen in previous Lazarus-related campaigns.
- Talos assigns low-confidence attribution to North Korean actors; victimology suggests financial motive.
Content summary
Cisco Talos describes a sophisticated, multi-stage intrusion chain that culminates in a stealthy loader (Dohdoor) enabling in-memory execution of follow-on tooling. Key evasion methods include DLL sideloading, process hollowing, DNS-over-HTTPS for C2 resolution, and restoring/unhooking ntdll system-call stubs to bypass endpoint detection. While some tactics mirror known North Korea-linked operations, the current targeting of education and healthcare is not a perfect match for Lazarus’ historic focus.
Context and relevance
This is important because education and healthcare organisations frequently have weaker defences yet hold sensitive data and critical services; an intrusion can quickly escalate to data theft, extortion or service disruption. The use of DoH via Cloudflare and EDR-unhooking indicates attackers are adapting to modern defences. Organisations should prioritise anti-phishing measures, restrict DLL sideloading, monitor DoH usage and hunt for in-memory Cobalt Strike indicators.
Why should I read this
Short and blunt: if you look after security for a school, uni or care provider, this is worth five minutes. It shows how crooks are slipping past DNS and endpoint protections with tricks that look like normal HTTPS — and what you should check first.