Cisco Talos identified a new threat cluster tracked as UAT-10027 targeting U.S. education and healthcare organisations since at least December 2025. The group deploys Dohdoor, a previously undocumented 64-bit DLL loader compiled in November 2025.
Dohdoor uses DNS-over-HTTPS (DoH) via Cloudflare on port 443 for command-and-control — crafting HTTP requests to Cloudflare's DoH endpoint and parsing JSON responses to obtain C2 IP addresses. It unhooks system calls in NTDLL.dll to bypass endpoint detection and response (EDR) solutions, and can reflectively execute binaries inside legitimate Windows processes.
Talos assesses with confidence that UAT-10027 is North Korea-nexus, based on TTP overlap with the Lazarus group. The use of DoH makes network-level detection challenging — organisations should consider inspecting or proxying DNS-over-HTTPS traffic to external resolvers as a defensive measure.