Encrypted Deception: Cisco Talos Unmasks “Dohdoor” and the Stealthy UAT-10027 Campaign Targeting Healthcare

Since the twilight of 2025, Cisco Talos has been vigilantly tracking a malicious campaign directed against educational and healthcare institutions within the United States. Researchers attribute this coordinated activity to the threat actor UAT-10027 and have delineated a novel backdoor christened “Dohdoor.” Its defining characteristic is its reliance on DNS over HTTPS (DoH) for command and control. Rather than traversing conventional DNS channels, these queries are encapsulated within HTTPS traffic over port 443; consequently, to network monitoring tools, this activity masquerades seamlessly as ubiquitous, encrypted web traffic. An additional layer of obfuscation is achieved by routing a segment of this communication through Cloudflare’s sprawling infrastructure.

Talos hypothesizes that the initial vector of compromise predominantly involves phishing campaigns coupled with social engineering stratagems. Upon successfully breaching a machine, a PowerShell script is executed. This script invokes curl.exe with an encoded URL to download a Windows batch file (bearing either a .bat or .cmd extension) from a remote staging server. This encoded link serves to confound rapid log analysis and effectively circumvents rudimentary security filters designed to ensnare suspicious URLs via string matching.

This batch file subsequently prepares a staging directory and orchestrates the execution of a malicious DLL via library substitution. The script generates a concealed folder within either C:\ProgramData or C:\Users\Public, downloads a DLL from the C2 infrastructure via a path akin to /111111?sub=d, and archives it under a nomenclature intended to mimic benign system files, such as propsys.dll or batmeter.dll. Following this, legitimate Windows executables—Talos cites Fondue.exe, mblctr.exe, and ScreenClippingHost.exe as examples—are copied into this very same directory. These innocuous programs are then launched from the staging folder, accompanied by a parameter pointing to the C2 resource /111111?sub=s. Upon initialization, the legitimate executable inadvertently loads the implanted DLL through a technique known as DLL sideloading, thereby surrendering execution control to Dohdoor.

Once Dohdoor is operational, the batch file meticulously attempts to eradicate all overt traces of its inception. The script purges the command history from the “Run” dialog by excising the RunMRU registry key, subsequently clears the clipboard, and ultimately deletes its own executable file. This rigorous digital sanitation leaves investigators with a dearth of glaring artifacts upon the disk and within the user’s activity logs.

Talos characterizes Dohdoor as a 64-bit DLL, compiled on November 25, 2025. Embedded within its architecture, researchers uncovered the debugging path C:\Users\diablo\Desktop\SimpleDll\TlsClient.hpp. The module deliberately eschews static imports, opting instead to dynamically resolve Windows function addresses via hashing; consequently, its import table appears anomalously barren. Subsequently, Dohdoor parses the command-line parameters, extracting the HTTPS address of the C2 server alongside the resource path dictating the specific payload slated for download.

The domain necessary for governing Dohdoor is resolved utilizing DoH, specifically leveraging Cloudflare’s infrastructure. Rather than initiating a standard DNS query, the malware fabricates an HTTP GET request to Cloudflare’s DNS service via port 443, soliciting both A and AAAA records (the addresses for IPv4 and IPv6, respectively). Within the headers, Talos observed User-Agent: insomnia/11.3.0 and Accept: applications/dns-json. The response is delivered in JSON format; however, Dohdoor extracts the IP address without employing a comprehensive JSON parser, relying instead upon rudimentary string searching: it initially locates the Answer block, followed by the data field. This methodology is instrumental in bypassing security appliances specifically calibrated to monitor standard DNS traffic, as they perceive this HTTPS communication merely as an innocuous, encrypted connection.

Having acquired the IP address, Dohdoor establishes an HTTPS connection to its command infrastructure, safely sequestered behind Cloudflare’s edge network. To external observers, this traffic is indistinguishable from standard HTTPS communication directed toward trusted global addresses. The requests frequently utilize User-Agents such as curl/7.88 or curl/7.83.1 and target resources resembling /X111111?sub=s. The client exhibits versatility, capable of processing both Content-Length and chunked encoding; thus, the server can dynamically alter its data delivery mechanism without rupturing the communication channel.

The domains employed are crafted to appear innocuous to both automated filters and human observers. Talos highlights subdomains such as MswInSofTUpDloAd and DEEPinSPeCTioNsyStEM, which superficially resemble Windows update protocols or security telemetry. Furthermore, the malware utilizes unorthodox capitalization and unconventional top-level domains, including .OnLiNe, .DeSigN, and .SoFTWARe. These specific configurations confound rudimentary string-matching rules, allowing the threat actors to rotate domains without abandoning their overarching template.

The subsequent payload is delivered in an encrypted state. Dohdoor decrypts this data utilizing a proprietary XOR-SUB schema, incorporating a position-dependent transformation and a 32-byte cryptographic key. Talos highlights a 4:1 ratio: the ciphertext is approximately quadruple the size of the decrypted buffer. The primary decryption phase processes the data in 16-byte blocks, leveraging SIMD instructions for acceleration. For the residual bytes, the formula decrypted[i] = encrypted[i*4] - i - 0x26 is applied; essentially, it isolates every fourth byte, subtracting both the position index and the constant 0x26.

Following decryption, the ensuing phase is launched via process hollowing. Dohdoor spawns a legitimate process in a suspended state, systematically replaces its memory contents with the newly decrypted malicious code, and subsequently resumes the process’s execution. Talos enumerates the hardcoded paths to these target files: C:\Windows\System32\OpenWith.exe, C:\Windows\System32\wksprt.exe, C:\Program Files\Windows Photo Viewer\ImagingDevices.exe, and C:\Program Files\Windows Mail\wab.exe. This execution strategy masterfully conceals the malicious code’s operations beneath the guise of an authorized system process.

To circumvent Endpoint Detection and Response (EDR) solutions, Dohdoor employs unhooking techniques against system calls within ntdll.dll. Talos elucidates this process: numerous EDR platforms implant user-mode hooks within ntdll, patching the inception of functions to redirect execution flow into their own monitoring code. Dohdoor locates ntdll.dll via the hash 0x28cc and targets NtProtectVirtualMemory using the hash 0xbc46c894. It reads the initial 32 bytes via ReadProcessMemory and juxtaposes them against the anticipated system call stub template 4C 8B D1 B8 FF 00 00 00 (which corresponds to mov r10, rcx; mov eax, 0FFh). Should a match be confirmed, it injects the patch B8 BB 00 00 00 C3 (equivalent to mov eax, 0BBh; ret). The culmination is a truncated stub that effectively bypasses the user-mode intercepts.

While Talos was unable to intercept the ultimate payload downloaded and injected by Dohdoor, circumstantial evidence emerged from the infrastructure itself. Open-source intelligence regarding one of the C2 hosts revealed a JA3S hash of 466556e923186364e82cbdb4cad8df2c and a TLS certificate serial number of 7FF31977972C224A76155D13B6D685E3. Talos notes a striking resemblance between these indicators and the profile of Cobalt Strike, postulating that the subsequent stage was likely a Cobalt Strike Beacon, deployed to solidify a foothold within the network and orchestrate further machinations.

Regarding attribution, Talos emphasizes a posture of low confidence. The tentative association between UAT-10027 and the Lazarus Group is predicated upon overlapping Tactics, Techniques, and Procedures (TTPs) and a discernible resemblance to the Lazarloader instrument. The ledger of concordances includes the XOR-SUB schema featuring position-dependent decryption and the 0x26 constant, the ntdll unhooking maneuvers designed for EDR evasion, the employment of DoH via Cloudflare, and the strategic amalgamation of DLL sideloading and process hollowing. Conversely, the target profile deviates from the quintessential Lazarus narrative, which is more frequently tethered to cryptocurrency heists and the defense industrial base. Nevertheless, Talos cautions that North Korean threat actors have historically besieged both the medical and educational sectors; thus, this selection of targets is by no means implausible.