嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要通读整篇文章,抓住主要信息。文章讲的是一个名为UAT-10027的网络攻击活动,主要针对美国的教育和医疗行业。攻击者使用了一种新的后门程序Dohdoor。 攻击手段方面,文章提到攻击者通过钓鱼邮件发送PowerShell脚本,下载恶意批处理文件和DLL。然后利用DLL侧加载技术来运行恶意软件。Dohdoor通过DNS-over-HTTPS和Cloudflare基础设施隐藏C2通信,这使得攻击更难被检测到。 此外,Dohdoor使用了自定义的XOR-SUB解密算法,并且进行了反取证操作,比如清除运行历史、删除自身等。还提到了攻击者可能来自朝鲜的Lazarus集团,因为技术特征相似,但这次攻击的目标与Lazarus以往不同。 总结的时候要包括:攻击活动名称、目标行业、使用的后门名称、主要攻击手段、隐藏通信的方法、解密算法以及可能的幕后黑手。 控制在100字以内的话,需要简洁明了地表达这些要点。比如: UAT-10027活动针对美国教育和医疗行业部署Dohdoor后门。通过钓鱼邮件和PowerShell脚本传播恶意DLL,并利用DNS-over-HTTPS隐藏C2通信。Dohdoor采用自定义解密算法,并进行反取证操作。可能与朝鲜 Lazarus 集团相关。 这样大概在100字左右。 </think> UAT-10027活动针对美国教育和医疗行业部署Dohdoor后门。通过钓鱼邮件和PowerShell脚本传播恶意DLL,并利用DNS-over-HTTPS隐藏C2通信。Dohdoor采用自定义解密算法,并进行反取证操作。可能与朝鲜 Lazarus 集团相关。 2026-2-26 19:10:34 Author: securityaffairs.com(查看原文) 阅读量:9 收藏
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
Pierluigi Paganini
February 26, 2026
UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor.
Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor.
Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections. This allows attackers to deploy additional payloads, such as Cobalt Strike, directly into memory while evading security detection and maintaining persistent access.
Attackers used PowerShell to run curl with an encoded URL, downloading a malicious .bat or .cmd file—likely delivered through phishing. The batch script then created a hidden folder in ProgramData or Public, downloaded a disguised malicious DLL, and used DLL sideloading with legitimate Windows executables to run it. Finally, it performed anti-forensic actions, clearing Run history, wiping the clipboard, and deleting itself to reduce traces of compromise.
UAT-10027 deployed a 64-bit DLL loader, Dohdoor, compiled in November 2025, to download, decrypt, and run payloads inside legitimate Windows processes. Dohdoor resolves Windows APIs through hash-based lookups, parses command-line arguments from the sideloaded executable, and extracts the C2 URL and payload path. It uses DNS-over-HTTPS to query Cloudflare over port 443, builds crafted HTTP requests, and parses JSON responses by searching for “Answer” and “data” fields to obtain the C2 IP address.
After resolving the server, Dohdoor sends HTTPS GET requests that mimic curl traffic and retrieves an encrypted payload. It decrypts the payload with a custom XOR-SUB algorithm using SIMD routines for 16-byte blocks and a position-dependent formula for remaining bytes.
“Dohdoor receives an encrypted payload from the C2 server. The encrypted payload undergoes custom XOR-SUB decryption using a position-dependent cipher. The encrypted data maintains a 4:1 expansion ratio where the encrypted data is four times larger than the decrypted data.” reads Talos’s report.”The decryption routine of Dohdoor operates in two ways. A vectorized (Single Instruction, Multiple Data) SIMD method for bulk processing and a simpler loop to handle the remaining encrypted data. “
The loader then performs process hollowing, injecting the decrypted payload into suspended Windows binaries such as OpenWith.exe or wksprt.exe before resuming execution.
To evade EDR, Dohdoor locates ntdll.dll, checks NtProtectVirtualMemory for user-mode hooks, and patches the syscall stub to create a direct syscall trampoline.
“Dohdoor achieves this by locating ntdll.dll with the hash “0x28cc” and finds NtProtectVirtualMemory with the hash “0xbc46c894”.” continues the report. “Then it reads the first 32 bytes of the function using ReadProcessMemory that dynamically loads during the execution and compares them with the syscall stub pattern in hexadecimal “4C 8B D1 B8 FF 00 00 00” which corresponds to the assembly instructions “mov r10, rcx; mov eax, 0FFh”. If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.”
Telemetry suggests the actor likely used a Cobalt Strike Beacon as the follow-on payload.
Talos assesses with low confidence that UAT-10027 links to North Korea due to overlaps with the Lazarus Group. Dohdoor shares traits with Lazarloader, including a custom XOR-SUB routine using the 0x26 constant and NTDLL unhooking for EDR evasion. The campaign also uses DoH via Cloudflare, DLL sideloading, process hollowing, and mixed-case TLDs—tradecraft seen in Lazarus operations.
“In addition to the observed technical characteristics similarities of the tools, the use of multiple top-level domains (TLDs) including “.design”, “. software”, and “. online”, with varying case patterns, also aligns with the operational preferences of Lazarus. While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting.” concludes the report. “However, Talos has historically seen that North Korean APT actors have targeted the health care sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UAT-10027)
如有侵权请联系:admin#unsafe.sh