Security researchers have reported that digital intruders, possibly linked to North Korea, have been targeting US educational and healthcare sectors with a new backdoor malware known as Dohdoor. This campaign appears to have been active since at least December, affecting various educational institutions and a healthcare facility focused on elderly care.
Details of the Intrusion
According to Cisco Talos researcher Chetan Raghuprasad, the attackers have infected multiple educational institutions, including a university with connections to several others, suggesting a broader attack surface. The nature of the targeted organizations indicates a potential motive for financial gain.
Malware Characteristics
The campaign has been attributed to a group identified as UAT-10027, which Talos tracks with low confidence as a North Korean entity due to similarities with the Lazarus Group and other Pyongyang-affiliated groups. The attackers likely initiate access through social engineering and phishing tactics, ultimately deploying the Dohdoor backdoor.
Dohdoor operates by downloading, decrypting, and executing malicious payloads within legitimate Windows processes. This backdoor allows intruders to maintain access to compromised environments and download further payloads, such as a Cobalt Strike Beacon.
Stealth Techniques Employed
UAT-10027 employs several stealth techniques to evade detection. These include establishing command-and-control (C2) domains using Cloudflare infrastructure and utilizing DNS-over-HTTPS to obscure C2 server IP addresses. This method helps the attackers bypass DNS security measures, making outbound traffic appear as legitimate HTTPS requests.
Additionally, the malware uses a technique called process hollowing to inject its payload into legitimate Windows binaries, further avoiding detection. Talos has also noted that the backdoor employs an endpoint detection and response (EDR) bypass technique by unhooking system calls through user mode hooks in ntdll.dll.
Context of the Attack
While the malware’s technical characteristics align with previous Lazarus Group activities, the focus on educational and healthcare sectors marks a deviation from their typical targets, which have included cryptocurrency and defense sectors. Recent reports indicate that Lazarus has also begun using Medusa ransomware in attacks against US healthcare organizations, highlighting the evolving nature of their operations.
As investigations continue, the full scope and implications of this campaign remain unclear, but the targeting of critical sectors raises significant concerns about cybersecurity in these domains.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
