Stealth Malware Campaign Targets U.S. Healthcare and Education Sectors Using Never-Before-Seen Backdoor

By Ravie Lakshmanan | February 26, 2026

In a chilling development that has cybersecurity experts on high alert, a previously undocumented threat cluster has been actively targeting U.S. education and healthcare institutions since December 2025. Cisco Talos researchers have identified this sophisticated campaign under the codename UAT-10027, which employs a brand-new backdoor malware dubbed Dohdoor to infiltrate critical infrastructure.

The campaign represents a significant escalation in cyber threats against sectors that handle some of society’s most sensitive data—patient records, research data, and personal information of students and faculty members. What makes this particularly alarming is the malware’s innovative use of DNS-over-HTTPS (DoH) technology to communicate with command-and-control servers while evading traditional network security measures.

The Anatomy of a Sophisticated Attack

The initial attack vector remains under investigation, but researchers strongly suspect social engineering phishing techniques are being used to trick victims into executing PowerShell scripts. Once inside a network, the malware follows a meticulously crafted multi-stage deployment process that demonstrates professional-level sophistication.

The PowerShell script downloads and executes a Windows batch file from a remote staging server. This batch script then facilitates the download of a malicious dynamic-link library (DLL) payload, typically disguised as legitimate Windows system files such as “propsys.dll” or “batmeter.dll.” These file names are deliberately chosen to blend in with normal system operations and avoid suspicion.

The malware then employs a technique known as DLL side-loading, where it leverages legitimate Windows executables like “Fondue.exe,” “mblctr.exe,” or “ScreenClippingHost.exe” to load and execute the malicious DLL. This approach takes advantage of how Windows handles DLL dependencies, allowing the malware to run under the trusted context of legitimate system processes.

Dohdoor: The Stealthy Backdoor That Bypasses Detection

Once deployed, Dohdoor establishes a persistent backdoor that enables attackers to download additional payloads directly into the victim’s memory and execute them without ever touching the disk. This in-memory execution technique makes forensic analysis significantly more challenging, as traditional antivirus software that scans for malicious files on disk may completely miss the threat.

The backdoor’s most innovative feature is its use of DNS-over-HTTPS (DoH) for command-and-control communications. By routing all malicious traffic through Cloudflare’s infrastructure, the malware ensures that outbound communications appear as legitimate HTTPS traffic to trusted global IP addresses. This clever disguise allows the malware to bypass DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that typically monitor suspicious domain lookups.

“Dohdoor’s use of DoH represents a significant evolution in malware communication techniques,” explains Alex Karkins, one of the researchers who discovered the threat. “By leveraging a legitimate protocol designed to enhance privacy, the attackers have effectively cloaked their malicious activities in a veil of normalcy.”

Advanced Evasion Techniques

The sophistication of this campaign extends beyond just communication methods. Dohdoor incorporates advanced techniques to evade endpoint detection and response (EDR) solutions that monitor Windows API calls. The malware actively unhooks system calls by manipulating user-mode hooks in NTDLL.dll, effectively neutralizing security tools that rely on monitoring these system-level interactions.

This level of evasion sophistication suggests that the threat actors behind UAT-10027 have significant resources and expertise at their disposal. The ability to bypass modern security infrastructure while maintaining persistent access to targeted networks represents a concerning capability that could be leveraged for various malicious purposes.

Target Selection Raises Questions

The choice of education and healthcare sectors as primary targets is particularly intriguing to researchers. While the campaign has affected multiple educational institutions, including universities connected to various other institutions (potentially expanding the attack surface), it has also specifically targeted healthcare facilities, particularly those providing elderly care services.

This victimology pattern differs from many other advanced persistent threat (APT) groups that typically focus on financial institutions, government agencies, or defense contractors. The healthcare sector’s critical nature and the sensitive information it handles make it an attractive target for various threat actors, from financially motivated cybercriminals to state-sponsored espionage groups.

Financial Motivations Suspected

Despite the lack of observed data exfiltration to date, researchers suspect that financial motivations may be driving this campaign. The victimology pattern—targeting institutions that handle significant financial transactions, research funding, and valuable intellectual property—suggests that the attackers may be positioning themselves for future exploitation.

The campaign’s use of Cobalt Strike Beacon as a secondary payload is particularly noteworthy. Cobalt Strike is a commercial penetration testing tool that has become a favorite among sophisticated threat actors due to its versatility and effectiveness. Its presence in this campaign indicates that the attackers are likely preparing for long-term operations within compromised networks.

Potential Links to Known Threat Actors

While the identity of the threat actors behind UAT-10027 remains unknown, Cisco Talos has identified some tactical similarities between Dohdoor and LazarLoader, a downloader previously associated with the North Korean hacking group Lazarus. This connection raises the possibility of state-sponsored involvement, though researchers caution against jumping to conclusions.

The campaign’s focus on education and healthcare sectors deviates from Lazarus Group’s typical targeting profile, which usually centers on cryptocurrency platforms, financial institutions, and defense-related targets. However, North Korean APT groups have demonstrated a willingness to target healthcare sectors in the past, including using Maui ransomware against healthcare organizations and the Kimsuky group’s activities in the education sector.

Implications for Critical Infrastructure Security

This campaign highlights the evolving nature of cyber threats against critical infrastructure sectors. The healthcare industry, already strained by various challenges, now faces sophisticated malware campaigns that can evade traditional security measures while maintaining persistent access to sensitive systems and data.

The use of legitimate infrastructure like Cloudflare’s services for malicious purposes demonstrates how threat actors are increasingly leveraging the same tools and services that legitimate businesses use to conduct their operations. This trend makes it significantly more challenging for security professionals to distinguish between normal and malicious traffic.

Recommendations for Organizations

Organizations in the education and healthcare sectors should immediately review their security postures and implement additional monitoring for the following indicators of compromise:

• Unusual PowerShell script executions
• Suspicious DLL file activities, particularly files named “propsys.dll” or “batmeter.dll”
• Unexpected network communications through DNS-over-HTTPS
• Unusual memory-based payload executions
• Suspicious use of legitimate Windows executables for unusual purposes

Security teams should also consider implementing network segmentation to limit lateral movement within their environments and ensure that critical systems are isolated from general network traffic.

The Broader Context

This campaign emerges against a backdrop of increasing cyber threats to critical infrastructure sectors globally. Healthcare organizations have become prime targets due to the sensitive nature of their data and the critical services they provide. The COVID-19 pandemic accelerated digital transformation in healthcare, often without corresponding investments in cybersecurity, creating vulnerabilities that sophisticated threat actors are now exploiting.

The education sector faces similar challenges, with universities and research institutions holding valuable intellectual property and personal data that can be monetized or leveraged for various purposes. The interconnected nature of educational institutions, where one compromised university can provide access to partner institutions, creates a cascading risk that sophisticated attackers can exploit.

Looking Ahead

As threat actors continue to develop more sophisticated techniques for evading detection and maintaining persistent access to targeted networks, organizations must evolve their defensive strategies accordingly. The success of campaigns like UAT-10027 demonstrates that traditional security measures alone are insufficient against determined, well-resourced adversaries.

The cybersecurity community must continue sharing threat intelligence and developing new detection techniques to counter these evolving threats. Only through collective vigilance and rapid response to emerging threats can we hope to stay ahead of adversaries who are constantly refining their tactics and techniques.

Tags: #cybersecurity #malware #healthcare #education #UAT10027 #Dohdoor #DNSoverHTTPS #threatintelligence #cyberattack #criticalinfrastructure #securitybreach #advancedpersistentthreat #statebackedhacking #cyberdefense #networksecurity #endpointprotection #threatdetection #cybercrime #databreach #informationsecurity

Viral Sentences:

• “Stealth malware campaign targets US healthcare and education sectors using never-before-seen backdoor”
• “Sophisticated attackers bypass traditional security using DNS-over-HTTPS cloaking technique”
• “New Dohdoor malware evades detection through memory-based execution and legitimate infrastructure abuse”
• “Critical infrastructure under siege as sophisticated APT groups target healthcare and education”
• “DLL side-loading technique enables malware to run under trusted Windows processes”
• “Cloudflare infrastructure weaponized by threat actors to hide malicious communications”
• “Advanced evasion techniques unhook system calls to bypass endpoint detection solutions”
• “North Korean APT groups suspected but victimology pattern suggests different motivations”
• “Education sector interconnected networks create cascading risk for sophisticated cyber attacks”
• “Healthcare cybersecurity vulnerabilities exposed as critical data becomes prime target”
• “Memory-resident malware challenges traditional antivirus detection capabilities”
• “State-sponsored or financially motivated? Campaign’s true purpose remains unclear”
• “Critical infrastructure defense requires evolution beyond traditional security measures”
• “Threat intelligence sharing becomes crucial as malware techniques grow increasingly sophisticated”
• “Digital transformation without cybersecurity investment creates perfect storm for data breaches”

,